Advanced Network Security
COIT20262 - Advanced
Network Security
Instructions
Attempt
all questions. Submit the following on Moodle:
•
Answers: A Microsoft Word document
containing answers to the questions.
•
Question 1: keypair.pem, pubkey.pem, message.txt, signature.bin, key.txt,
ciphertext.bin, secretkey.bin, commands.bash
• Question
2: cert-myuni-YourID.csr, cert-myuni-YourID.pem,
cert-ca-TheirID.pem, default-ssl.conf, https.pcap
•
Question 3: passwd.txt, shadow.txt, group.txt,
and files.txt.
This is an individual assignment,
and it is expected students answer the questions themselves. Discussion of
approaches to solving questions is allowed (and encouraged), however each
student should develop and write-up their own answers. See CQUniversity
resources on Referencing and
Plagiarism. Guidelines for this assignment
include:
•
Do not exchange files (reports,
captures, diagrams) with other students.
•
Complete tasks with virtnet yourself
– do not use results from another student.
•
Draw
your own diagrams. Do not use diagrams from other sources (Internet, textbooks)
or from other students.
•
Write
your own explanations. In some cases, students may arrive at the same numerical
answer, however their explanation of the answer should always be their own.
•
Do
not copy text from websites or textbooks. During research you should read and
understand what others have written, and then write in your own words.
Marking Scheme
•
Each sub-question is allocated marks
in [square brackets].
•
Questions which require a specific
answer will be marked on correctness.
•
Questions
which require explanations will be marked on correctness, depth and clarity of
the answer. To receive full marks, the explanation must be correct, must
include significant depth to demonstrate understanding of the topic (but does
not include irrelevant information), and must be clear to the intended
audience. Unless otherwise stated, assume the audience has a background similar
to Master of IT students that have successfully completed 1st year
of study.
•
Questions
which require diagrams will be marked on the correctness and clarity of the
diagram.
•
Submitted files will be marked on
correctness of the information included.
Question 1. Cryptographic Operations
with OpenSSL [8 marks]
Your task is to use OpenSSL to
perform a set of cryptographic operations. When performing cryptographic
operations you must be very careful, as a small mistake (such as a typo) may
mean the result is an insecure system. Read the instructions carefully,
understand the examples, and where possible, test your approach (e.g. if you
encrypt a file, test it by decrypting it and comparing the original to the
decrypted). It is recommended you use virtnet
to perform the operations.
Perform
the following steps:
(a) For all the following steps, record
the command(s) you used in a file called commands.bash.
This file should be a Bash shell script, containing only commands that can be executed and optionally comments (starting with #
character).
(b) Generate your own RSA 2048-bit key
pair. Use the public exponent of 65537. Save your key pair as keypair.pem.
(c)
Extract your public key and save it
as pubkey.pem.
(d) Create a text file called message.txt and include your student ID and
full name inside the file. This file is referred to as the message or
plaintext.
(e)
Sign your message file using SHA256,
saving the signature as signature.bin.
(f) Generate a 128 bit random value
using OpenSSL. This value will be used as a secret key. Store the key as a 32
hex digit string in a file key.txt.
(g) Encrypt your message file using
AES-128-CBC and the key generated in step (f). Use an IV of all 0’s (that is,
32 hex 0’s). Save the ciphertext as ciphertext.bin.
(h) Encrypt your key.txt file using RSA so that only the Unit Coordinator can view
the contents. Save the encrypted key as secretkey.bin.
Multiple files are output from the
above steps. You must all the files listed above. The file names must be
exactly as listed above. Use lowercase for all files and double-check the
extensions (be careful that Windows doesn’t change the extension).
Examples
of the OpenSSL operations needed to complete this task are on Moodle.
Marking Scheme
Once files are submitted, they will
be decrypted/verified using the reverse operations of what you were expected to
do.
•
If
your files successfully decrypt/verify, and the commands (commands.bash) submitted are correct, then you
will receive 8 marks.
•
If
your files successfully decrypt/verify, but the commands contain errors, then
you will receive between 5 and 7 marks, depending on the severity of the errors
(e.g. small typo vs wrong command).
•
If
your files do NOT successfully decrypt/verify, then your commands will be
reviewed to determine what mistakes you made. You will receive between 0 and 6
marks, depending on the severity of the errors.
Up to 5 marks may be deducted for
incorrect submissions (e.g. not all files submitted, additional files
submitted, wrong files submitted, wrong filenames).
|
|
|
cert-ca-YourID.pem
|
COIT20262 Assignment 2 Term
1, 2018
Question 2. HTTPS and Certificates
[15 marks]
For this question you must use virtnet (as used in the workshops) to study HTTPS and certificates.
This assumes you have already setup and are familiar with virtnet. See Moodle and workshop instructions for information on
setting up and using virtnet, deploying the website, and testing
the website.
Your
task is to:
1.
Create topology 5 in virtnet
2.
Deploy the MyUni demo website on the
nodes
3.
Setup the webserver to support HTTPS,
including obtaining a certificate cert-
myuni-YourID.pem.
4. Capture traffic from the web browser
on node1 to the web server that includes a HTTPS session. Save the file as https.pcap.
5.
Test and analyse the HTTPS
connection.
Step 3, involves obtaining a
certificate from a Certificate Authority. Another student from COIT20262 must
act as the Certificate Authority for you, and similarly, you can act as the
Certificate Authority for them (that is, do this phase in pairs). You must do
that in the following way:
1. Use your RSA key pair from Question
1 to generate a certificate signing request, saved as cert-myuni-YourID.csr (where YourID is replaced with your student ID).
2.
Send the certificate signing request
to another student in COIT20262.
3. That other student will act as the
Certificate Authority and generate your certificate as cert-myuni-YourID.pem. They will send your certificate,
as well as the CA’s certificate as cert-ca-TheirID.pem (where TheirID is the student ID of your partner), back to you.
In the same way that your partner
will act as your CA, you will act as your partners CA. You will need to setup a
CA, using your RSA key pair from Question 1 to generate a self-signed
certificate , and then you receive their certificate
signing request that you
Answer
the following sub-questions based on above test and analysis.
(a) Submit the following files on
Moodle. Each will be analysed to ensure they include correct information (e.g.
values specific to you).
•
cert-myuni-YourID.csr (your certificate signing request) [0.5 mark]
•
cert-myuni-YourID.pem (your certificate) [1 mark]
•
cert-ca-TheirID.pem (partner’s CA certificate) [1 mark]
•
default-ssl.conf
(a copy of the Apache configuration
file from your web server) [0.5 mark]
•
https.pcap (the capture of HTTPS session) [2 marks]
(b) Draw a message sequence diagram that
illustrates the TLS/SSL packets belonging to the first HTTPS session in the
file. Refer to the instructions in assignment 1 for drawing a message sequence
diagram, as well as these additional requirements:
•
Only
draw the TLS/SSL packets; do not draw the 3-way handshake, TCP ACKs or
connection close. Hint: identify which packets belong to the first TCP
connection and then filter with “ssl” in Wireshark. Depending on your Wireshark
version, the protocol may show as “TLSv1.2”.
• A
single TCP packet may contain one or more SSL messages (in Wireshark look
inside the packet for each “Record Layer” entry to find the SSL message names).
Make sure you draw each SSL message. If a TCP packet contains multiple SSL
messages, then draw multiple arrows, one for each SSL message, and clearly
label each with SSL message name.
•
Clearly mark which packets/messages
are encrypted. [3 marks]
(c) Based on your certificate and the
capture, write answers to the following questions in the table. When giving
algorithms, you may use the abbreviation but must accurately identify the
variant. For example, AES128 is different from AES256, and SHA256 is different
from SHA512. [4 marks, 0.5 mark each]
How many bytes is the hash value in
the certificate signature?
What hash algorithm is used to
generate the certificate signature?
What encryption algorithm is used to
generate the certificate signature?
How many bytes is the public key
modulus in the certificate?
In the TLS cipher suite used between
client and server, what algorithm is used for:
-
Encrypting session data?
-
Hashing for the MAC?
-
Key exchange?
How many bytes of random data are
sent from the client to server at the start of the handshake?
(d) In practice, some Certificate
Authorities use self-signed certificates, while others have their certificate
signed by another CA. Explain why self-signed certificates are needed by CAs,
as well as the benefits of one CA signing another CA’s certificate. [2 marks]
(e) In practice, Certificate Authorities
must keep their private keys very secure, usually storing them offline in
special hardware devices. Explain an attack a malicious user could be perform
if they could compromise the CA private key. Use your MyUni website as an
example. [1 mark]
Question 3. Access Control [10
marks]
For this question you must use virtnet (as used in the workshops) to study Linux access control
and passwords. This assumes you have already setup and are familiar with virtnet. See Moodle and workshop instructions for information on
setting up and using virtnet, and using Linux access control commands.
Your
task is to:
1. Create topology 1 in virtnet (or any topology that has a node; you could use nodes from
previous questions).
2.
Create five new users named student1, student2,
teacher3,
teacher4
and other5.
Set the passwords to be different
except for two users (that is, two users have the same password, the other
users have different passwords), however do not use passwords that you use on
other systems.
3. View the password information stored
for the new users in /etc/passwd and /etc/shadow.
Understand the information stored.
4. Create two new groups named student
and teacher. Allocate the users to groups as follows:
o User 1, student1: primary group student
o User 2, student2: primary group student
o User 3, teacher3: primary group teacher
o User 4, teacher4: primary group teacher
o User 5, other5: primary group is their own (i.e. not in student or
teacher).
Even though there are only five
users created, in the following you should assume there may be more users (e.g.
more users in the student group, more users in the teacher group, and more
users not in either of the groups).
5. Create the following files and
directories for each user. Unless specified, the files/directories can be any
name and can contain any content:
o Both students (User 1 and 2) have directories personal and shared
in their home directory. All teachers have read-only access to each
students shared directory (and files within). Only
the user can access their personal directory. o
The first teacher (User 3) has
directory security, which has two sub-directories: lectures and exam. lectures
is read-only by all teachers. exam is
only accessible by the user.
o The second teacher (User 4) has directories network and personal. network is
editable by everyone, while personal is only accessible by the user.
o Each directory mentioned above should have at least 1 file
in it (the name and contents of the file doesn't
matter).
o Every user (including User 5) has a file in their home
directory called schedule.txt. This file is readable and writable
by everyone.
6.
In addition to the access control
rules mentioned above, assume:
o
Every user has read, write
permissions on their own files, and full permissions
on their own directories.
o
No other user can access the
files/directories of other users.
o
If permissions are not covered by
the above, then assume the defaults.
o If there are conflicts in the above,
then assume the most restrictive permission. o Use
only the basic Linux permissions (see example commands below). Do NOT
use advanced permissions such as with setfacl or getfacl.
7. Test that the access control works
by logging in as each user and checking they can(not) access the specified
files/directories.
Answer
the following questions after completing the task.
(a)
Submit the following files on
Moodle:
a.
/etc/passwd named as passwd.txt when you submit [0.5 mark]
b.
/etc/shadow as shadow.txt [0.5 mark]
c.
/etc/group as group.txt [0.5 mark]
d.
The output of the following command
as files.txt:
sudo sh -c ‘ls -lR /home >
/home/network/files.txt’
The listing in files.txt will be used to determine if you have set the correct
permissions. [4.5 marks]
(b) Explain where and how password
information is stored in Linux. You should mention the files, formats of
storing passwords (e.g. what is stored, how is the information created) and any
specific algorithms used. [1 mark]
(c) In the above task on Linux you used
a form of discretionary access control. Two other forms of access control are
role-based access control (RBAC) and mandatory access control (MAC). Give a
description of both RBAC and MAC, and using the student/teacher scenario, give
an example of each that demonstrates the key characteristics of these forms of
access control. [3 marks]
Question 4. Firewalls [9 marks]
An educational institute has a
single router, referred to as the gateway router, connecting its internal
network to the Internet. The institute has the public address range
138.53.0.0/16 and the gateway router has address 138.53.178.1 on its external
interface (referred to as interface ifext). The internal network consists of
four subnets:
•
A
DMZ, which is attached to interface ifdmz
of the gateway router and uses address range 138.53.179.0/24.
•
A
small network, referred to as shared, with interface ifint of the gateway router connected to three other routers,
referred to as staff_router, student_router,
and research_router. This network has no hosts attached
(only four routers) and uses
network address 10.4.0.0/16.
•
A
staff subnet, which is for use by staff members only, that is
attached to the staff_router
router and uses network address
10.4.1.0/24.
•
A
student subnet, which is for use by students only, that is attached
to the student_router router and uses network address
10.4.2.0/24.
•
A
research subnet, which is for use by research staff, that is
attached to the research_router
router and uses network address
10.4.3.0/24.
In summary, there are four routers
in the network: the gateway router, and routers for each of the staff, student
and research subnets. There are five subnets: DMZ, shared, staff, student, and
research.
There are two servers in the DMZ that
all can accept requests from the Internet: a web server supporting HTTP and
HTTPS, and a SMTP email server. Members of the staff, student and research
subnets can access the web server; members of the staff subnet only can access
the email server but using IMAP.
The gateway router also runs a
stateful packet filtering firewall and performs port address translation. In
addition to the DMZ setup as described above, security requirements for the
educational institute are:
•
External
Internet users cannot access any internal computers (except in DMZ and as
stated in other requirements).
•
Staff, students and researchers can
access websites in the Internet.
• The
researchers (on the research subnet) run a server for sharing data with
selected research partners external to the educational institute. That server
provides SSH access and a specialised file transfer protocol using TCP and port
6789 to the partners. The server has internal address 10.4.3.31 and NAT is
setup on the gateway router to map the public address 138.53.179.44 to the
internal address. Currently there are two partner organisations that can access
the server, and they have network addresses: 31.13.75.0/24 and 104.55.9.0/24.
• The
professor that leads the research staff also wants access to the data sharing
server while they are at home. At home that professor uses a commercial ISP
that dynamically allocates IP addresses in the range 23.63.0.0/16.
Considering
the above information, answer the following questions:
(a) Draw a diagram illustrating the
network. Although there may be many computers in the staff, student and
research subnets, for simplicity you only have to draw three computers in the
staff subnet, three computers in the student subnet and three computers in the
research subnet (one of those in the research subnet should be the data sharing
server). Label all computers and router interfaces with IP addresses. [3 marks]
(b) Specify the firewall rules using the
format as in the table below. You may add/remove rows as needed. After the
table, add an explanation of the rules (why you design the firewall rules the
way you did). [5 marks]
|
Rule
|
Transport
|
Source
|
Source
|
Dest.
|
Dest.
|
Action
|
|
No.
|
|
IP
|
Port
|
IP
|
Port
|
|
|
1
|
|
|
|
|
|
|
|
2
|
|
|
|
|
|
|
|
3
|
|
|
|
|
|
|
|
4
|
|
|
|
|
|
|
|
…
|
|
|
|
|
|
|
(c) Consider the rule(s) that allows the
professor to access from home. Discuss the limitations, and suggest possible
solutions. [1 mark]
Question 5. Wireless Network
Security [8 marks]
A small company with about 50
employees is moving into a new building. You are being consulted to provide
advice and recommendations on deploying a secure wireless network in the
building. You have been informed by the IT admin within the company that they
require 15 wireless access points to cover the entire area, and will purchase
all access points of the same model/brand. They will select from TP- Link, D-
Link or Netgear. The IT staff in the company are capable of deploying the
network, but have very little knowledge of how to secure it. A good guide is
provided by the Australian Government, but the IT admins do not understand it.
(a) Write five (5) recommendations for
the IT admin in securing the wireless network. Each recommendation must have
two parts: what is recommended, and why it is recommended. The what part should be specific, referring
to recommended protocols, algorithms or technologies. The why part should provide a short (1-3 sentences) explanation of what
security problem is solved by following the recommendation. [5 marks]
(b) Select one of the wireless access
point vendors (TP-Link, D-Link or Netgear) and then select an appropriate
wireless access point to recommend to the IT admin. For the selected access
point, give a table that summarises the key technical specification. [1 mark]
(c) For the selected access point above,
list four (4) important security features. For each feature, give the
recommended setting and explain why you gave that recommendation. [2 marks]
Comments
Post a Comment