COIT20262 Assignment 2 Term 1, 2017

Need this or a similar Assignment

Contact: qualityonewriters@gmail.com
Whatsapp/Call: +91-9502220077

COIT20262 - Advanced Network Security, Term 1, 2017

Assignment 2

Due date: 5pm Friday 2 June 2017 (Week 12) ASSESSMENT

2
Weighting: 50%
Length: N/A

Instructions
Attempt all questions.
Submit the following on Moodle:
Answers: A Microsoft Word document containing answers to the questions.
certificate.pem: see Question 4.
https.pcap: see Question 4.

This is an individual assignment, and it is expected students answer the questions themselves.
Discussion of approaches to solving questions is allowed (and encouraged), however each
student should develop and write-up their own answers. See CQUniversity resources on
Referencing and Plagiarism. Guidelines for this assignment include:
Do not exchange files (reports, captures, diagrams) with other students.
Complete tasks with virtnet yourself do not use results from another student.
Draw your own diagrams. Do not use diagrams from other sources (Internet,
textbooks) or from other students.
Write your own explanations. In some cases, students may arrive at the same numerical
answer, however their explanation of the answer should always be their own.
Do not copy text from websites or textbooks. During research you should read and
understand what others have written, and then write in your own words.
Advanced Network Security Page 1 of 10
COIT20262 Assignment 2 Term 1, 2017

Question 1. Firewalls [9 marks]

Objective: be able to design packet filtering firewall rules and identify
advantages/disadvantages of such firewalls
An educational institute has a single router, referred to as the gateway router, connecting its
internal network to the Internet. The institute has the public address range 138.77.0.0/16 and
the gateway router has address 138.77.178.1 on its external interface (referred to as interface
ifext). The internal network consists of four subnets:
A DMZ, which is attached to interface ifdmz of the gateway router and uses address
range 138.77.179.0/24.
A small network, referred to as shared, with interface ifint of the gateway router
connected to three other routers, referred to as staff_router, student_router, and
research_router. This network has no hosts attached (only four routers) and uses
network address 10.3.0.0/16.
A staff subnet, which is for use by staff members only, that is attached to the
staff_router router and uses network address 10.3.1.0/24.
A student subnet, which is for use by students only, that is attached to the
student_router router and uses network address 10.3.2.0/24.
A research subnet, which is for use by research staff, that is attached to the
research_router router and uses network address 10.3.3.0/24.

In summary, there are four routers in the network: the gateway router, and routers for each of
the staff, student and research subnets. There are five subnets: DMZ, shared, staff, student,
and research.
There are two servers in the DMZ that all can accept requests from the Internet: a web server
supporting HTTP and HTTPS, and a SMTP email server. Members of the staff, student and
research subnets can access the web server; members of the staff subnet only can access the
email server but using IMAP.
The gateway router also runs a stateful packet filtering firewall and performs port address
translation. In addition to the DMZ setup as described above, security requirements for the
educational institute are:
External Internet users cannot access any internal computers (except in DMZ and as
stated in other requirements).
Staff, students and researchers can access websites in the Internet.
The researchers (on the research subnet) run a server for sharing data with selected
research partners external to the educational institute. That server provides SSH
access and a specialised file transfer protocol using TCP and port 1234 to the partners.
The server has internal address 10.3.3.31 and NAT is setup on the gateway router to
map the public address 138.77.179.44 to the internal address. Currently there are two
partner organisations that can access the server, and they have network addresses:
31.13.75.0/24 and 23.63.9.0/24.
The professor that leads the research staff also wants access to the data sharing server
while they are at home. At home that professor uses a commercial ISP that
dynamically allocates IP addresses in the range 104.55.0.0/16.

Advanced Network Security Page 2 of 10

COIT20262 Assignment 2 Term 1, 2017

Considering the above information, answer the following questions:

(a) Draw a diagram illustrating the network. Although there may be many computers in the
staff, student and research subnets, for simplicity you only have to draw three computers
in the staff subnet, three computers in the student subnet and three computers in the
research subnet (one of those in the research subnet should be the data sharing server).
Label all computers and router interfaces with IP addresses. [3 marks]

(b) Specify the firewall rules using the format as in the table below. You may add/remove
rows as needed. After the table, add an explanation of the rules (why you design the
firewall rules the way you did). [5 marks]
Rule Transport Source Source Dest. Dest. Action
No. IP Port IP Port
1
2
3
4

(c) Consider the rule(s) that allows the professor to access from home. Discuss the
limitations, and suggest possible solutions. [1 mark]

Marking Scheme
(a) 3 marks if correct network is drawn and labelled. 2 marks if some mistakes in location
of nodes or links, or allocation of addresses. 0 or 1 mark if multiple mistakes.
(b) If all necessary rules are included, and no unnecessary rules are included, you will
receive 5 marks. 0.5 mark will be deducted for an incorrect rule or incorrect
explanation of the rule. 0.5 mark will be deducted for a missing rule. 0.5 mark will be
deducted for a rule that is included but not needed. The explanation will only be
considered if the rules appear wrong or inappropriate.
(c) 1 mark if a relevant limitation is described, and a potential solution is relevant. 0.5
mark of limitation or solution is wrong or irrelevant.

Advanced Network Security Page 3 of 10

COIT20262 Assignment 2 Term 1, 2017

Question 2. WiFi Security [6 marks]

Objective: Understanding important challenges with securing WiFi networks
(a) Explain what a MAC address filter is, and how it can be used as a security mechanism
in WiFi. Also explain at least two limitations of using them. [3 marks]
(b) In WPA-Personal (CCMP), AES is used for encryption. Consider the key size used by
AES in WPA-Personal, and the typical passphrase selected by home users. Discuss the
differences (e.g. differences in length, character sets, and how the passphrase is
converted to a AES key), and discuss a potential brute force attack on WPA-Personal
on home deployments. [3 marks]

Marking Scheme
For each part: 3 marks if demonstrate a good understanding of the issues with accurate
descriptions and explanations. 2 marks of minor mistakes or minor misunderstandings. 1
mark if missing important information or a significant mistake.
Advanced Network Security Page 4 of 10
COIT20262 Assignment 2 Term 1, 2017

Question 3. Password Schemes [14 marks]

Objective: Understand what makes a strong password, and the difficulties of using passwords
for most users
You are the IT security administrator for an organisation with about 100 users. The users all
have office computers (PCs or laptops), but also use other computers for work (such as
shared computers, and personal mobile devices). For example, a typical user may use a
Windows PC in their office, occasionally use a Windows PC or Mac in a shared space or lab,
and regularly use their own Android or iOS phone for work purposes. There is a mix of
operating systems on computers and mobile devices.
You are tasked with educating users on passwords, and recommending password management
solutions to the organisation. You are considering two options for password management.

Option 1. Educate users to manage their own passwords, while using some technical
controls. This option involves recommending policies to management, providing user
training, and applying password management rules in various systems (e.g. when passwords
are created). Most users will not use password management software in this option.
Option 2. Enforce password management software for all users. This option requires all users
to use a single password management application (e.g. LastPass, KeePass, or `wallet
software).
First considering Option 1, answer the following sub-questions.
(a) You are planning the user training session. You have already explained to users about
password lengths and character sets (e.g. minimum recommended length, types of
characters to include). List three (3) other recommendations that you think are the most
important for users to be aware of with regards to password usage and management. For
each recommendation, explain it in detail (that is, what would you tell users), and give
one advantage and one disadvantage of the recommendation. For example:
Recommendation 1. You should do . The advantage of doing this is . But the
disadvantage of doing this is .. (Note you cannot use the password length and
character set as a recommendation you must choose other recommendations) [3
marks]
(b) You are designing the technical controls on the password checking system when users
register or select a new password. One rule that you have decided to implement is that
a password must be at least 8 characters. List three (3) other rules that you think are
the most important to be implemented. For each rule, clearly specify the exact
conditions, and give one advantage and one disadvantage of the rule. For example:
Rule 1. A password must be at least 8 characters long. The advantage of this rule is
. The disadvantage of this rule is .. (Note you cannot use the password length as
a rule you must choose 3 other rules. Also, although you may consider character set
as a rule, it can only count as one rule). [3 marks]
Now considering Option 2, answer the following sub-questions.
(c) Write a short summary of what password management software is, and how it works.
This summary is intended for management and users to understand. [2 marks]
Advanced Network Security Page 5 of 10
COIT20262 Assignment 2 Term 1, 2017

(d) Explain the advantages and disadvantages of a password management application

(when compared to not using a password management application). [2 marks]
(e) Compare a web-based password management solution, such as LastPass, against a
standalone password management application, such as KeePass. In your comparison
explain the difference between the approaches and the advantages and disadvantages
of web-based versus standalone. [2 marks]
(f) If a standalone password management application is to be used, recommend where the
password database(s) for each user should be stored. Explain why you recommend
this approach. [2 marks]

Marking Scheme
(a) 1 mark for each correct and relevant recommendation that contains a description,
advantage and disadvantage.
(b) 1 mark for each correct and relevant rule that contains a description, advantage and
disadvantage.
(c) 2 marks for a clear and concise summary that mentions what it is and how it works. 1
mark if missing some important information.
(d) 2 marks if both the advantages and disadvantages are relevant and clearly explained.
(e) 2 marks if both the differences, and advantages and disadvantages are relevant and
clearly explained.
(f) 2 marks if the option for storage location is relevant, and the reasons for the location
are well justified.

Advanced Network Security Page 6 of 10

COIT20262 Assignment 2 Term 1, 2017

Question 4. HTTPS and Certificates [10 marks]

Objective: Learn the steps of deploying a secure web server, as well as the
limitations/challenges of digital certificates
For this question you must use virtnet (as used in the workshops) to study HTTPS and
certificates. This assumes you have already setup and are familiar with virtnet. See Moodle
and workshop instructions for information on setting up and using virtnet, deploying the
website, and testing the website.
Your task is to:
Create topology 5 in virtnet
Deploy the MyUni demo website on the nodes
Setup the webserver to support HTTPS, including obtaining a certificate
certificate.pem.
Capture traffic from the web browser on node1 to the web server that includes a
HTTPS session. Save the file as https.pcap.
Test and analyse the HTTPS connection.
Answer the following sub-questions based on above test and analysis.

(a) Submit your certificate certificate.pem and HTTPS traffic capture https.pcap on
Moodle. [3 marks]
(b) Draw a message sequence diagram that illustrates the SSL packets belonging to the
first TCP connection in the file. Refer to the instructions in assignment 1 for drawing
a message sequence diagram, as well as these additional requirements:
Only draw the SSL packets; do not draw the 3-way handshake, TCP ACKs or
connection close. Hint: identify which packets belong to the first TCP
connection and then filter with ssl in Wireshark. Depending on your
Wireshark version, the protocol may show as TLSv1.2.
A single TCP packet may contain one or more SSL messages (in Wireshark look
inside the packet for each Record Layer entry to find the SSL message names).
Make sure you draw each SSL message. If a TCP packet contains multiple SSL
messages, then draw multiple arrows, one for each SSL message,
and clearly label each with SSL message name.
Clearly mark which packets/messages are encrypted. [3 marks]

(c) Based on the capture and your understanding of HTTPS: [0.5 mark each]
a. What port number does the web server use with HTTPS?
b. What symmetric key cipher was used for encrypting the data?
c. What public key cipher was used for exchanging a secret?
d. What cipher and what hash algorithm are used in signing the web servers
certificate?
(d) In this task you needed to manually load the CA certificate into the client (lynx web
browser). In real networks, this step is not necessary (that is, the web browser user does
not have to load the CA certificate it normally is already loaded). Explain how the

Advanced Network Security Page 7 of 10

COIT20262 Assignment 2 Term 1, 2017

web browser already knows the CA certificate and what limitations there are of this
approach? [2 marks]

Marking Scheme
(a) 3 marks if all required files are submitted and in correct format. 1.5 marks if only 1
file is correct. 0 marks if neither of the files correct.
(b) The diagram must have all packets clearly labelled to obtain full marks. Missed
messages, incorrect messages or unclear diagram will result in loss of marks.
(c) 0.5 mark for each correct answer.
(d) 1 mark for explaining how the web browser knows certificate, and 1 mark for
explaining a limitation of this approach.

Advanced Network Security Page 8 of 10

COIT20262 Assignment 2 Term 1, 2017

Question 5. Internet Privacy [11 marks]

Objective: Understand the advantages and disadvantages of Internet privacy technologies,
including VPNs, and learn about advanced techniques (Tor)
Encryption is commonly used to provide data confidentiality in the Internet: when two hosts
communicate, other entities in the path between the two hosts cannot read the data being sent.
However encryption on its own does not privacy of who is communicating. Although the
other entities cannot read the data, they can determine which two hosts are communicating.
Consider a simple view of an Internet path where client C is communicating using IPv4 with
server S. There are n routers on the path. Assume a malicious user, who wants to know
information about who is communicating and when, has access to one of the routers in the
path (router Rm), e.g. they can capture packets on that router. Note Rm is not directly
attached to the subnets of C or S.

(a) What information can the malicious user learn about who C and S are? Consider both
computer addresses and information that may identify the human user (e.g. names,
locations), and explain how the malicious user may obtain that information. [2 marks]
(b) If Network Address Translation (NAT) is used in the subnet for C (but not for S), how
does that change your answer to sub-question (a)? [1 mark]

One method for providing privacy in the Internet is using a Virtual Private Network (VPN).
Assume client C is using a VPN server which is located on a router in the path between C and
S (but not on Rm).
(c) What information can the malicious user learn about who is communicating when C
and S communicate via the VPN server? [1 mark]
(d) Potential disadvantages of using a VPN server include: reduced performance between
C and S; required to trust the VPN server; and VPN server logs may be
requested/accessed (by the malicious user). Explain each of these three potential
disadvantages. [3 marks]

Advanced Network Security Page 9 of 10

COIT20262 Assignment 2 Term 1, 2017

Onion routing, used in Tor, is another method for providing privacy in the Internet. It is
generally consider to provide more privacy than using a VPN. The following sub-questions
require you to learn the basics of Tor.
(e) Explain how Tor (or onion routing) works. Use the scenario of C and S as an example.
That is, how would C communicate with S if Tor was used instead of a VPN. [2 marks]
(f) What are the advantages of Tor compared to VPN? [1 mark]
(g) What are the disadvantages of Tor computer to VPN? [1 mark]

Marking Scheme
(a) All relevant information listed and explained to receive 2 marks. Missing information
or poor explanations: 0 or 1 mark.
(b) 1 mark for clear explanation.
(c) 1 mark for clear explanation.
(d) 1 mark for each disadvantage clearly explained.
(e) 2 marks for clear explanation. Missing information or poor explanations: 0 or 1 mark.
(f) 1 mark for clear explanation.
(g) 1 mark for clear explanation.

Advanced Network Security Page 10 of 10