COIT20262 Assignment 2 Term 2, 2017

COIT20262 - Advanced Network Security, Term 2, 2017

Assignment 2

Due date: 5pm Friday 5 October 2017 (Week 12) ASSESSMENT

2
Weighting: 50%
Length: N/A

Instructions
Attempt all questions.
Submit the following on Moodle:
Answers: A Microsoft Word document containing answers to the questions.
Question 3: passwd.txt, shadow.txt, group.txt, and files.txt.
Question 4: certificate.pem and https.pcap.

This is an individual assignment, and it is expected students answer the questions themselves.
Discussion of approaches to solving questions is allowed (and encouraged), however each
student should develop and write-up their own answers. See CQUniversity resources on
Referencing and Plagiarism. Guidelines for this assignment include:
Do not exchange files (reports, captures, diagrams) with other students.
Complete tasks with virtnet yourself – do not use results from another student.
Draw your own diagrams. Do not use diagrams from other sources (Internet,
textbooks) or from other students.
Write your own explanations. In some cases, students may arrive at the same numerical
answer, however their explanation of the answer should always be their own.
Do not copy text from websites or textbooks. During research you should read and
understand what others have written, and then write in your own words.

Advanced Network Security Page 1 of 8

COIT20262 Assignment 2 Term 2, 2017

Question 1. Firewalls [9 marks]

Objective: be able to design packet filtering firewall rules and identify
advantages/disadvantages of such firewalls
An educational institute has a single router, referred to as the gatewayR, connecting its
internal network to the Internet. The institute has the public address range 142.66.0.0/16 and
the gateway router has address 142.66.123.1 on its external interface (referred to as interface
ifout). The internal network consists of three subnets:

A DMZ, which is attached to interface ifdmz of the gateway router and uses address
range 142.66.13.0/24.
A small network, referred to as shared, with interface ifin of the gateway router
connected to two other routers, referred to as staffR, and studentR. This network has
no hosts attached (only three routers) and uses network address 10.4.0.0/16.
A staff subnet, which is for use by staff members only, that is attached to the staffR
router and uses network address 10.4.10.0/24.
A student subnet, which is for use by students only, that is attached to the studentR
router and uses network address 10.4.20.0/24.

In summary, there are three routers in the network: the gateway router, and routers for the staff
and student subnets. There are four subnets: DMZ, shared, staff, and student.
There are three servers in the DMZ that all can accept requests from the Internet:
1. A web server supporting HTTP and HTTPS (IP address is 142.66.13.10)
2. A secure shell server using SSH (IP address is 142.66.13.20), and
3. A SMTP email server (IP address is 142.66.13.30).
Members of the staff and student subnets can access the web server; members of the staff
subnet only can access the email server but using IMAP; and internal members (both staff
and students) cannot access the SSH server.
The gateway router also runs a stateful packet filtering firewall and performs port address
translation. In addition to the DMZ setup as described above, security requirements for the
educational institute are:
External Internet users cannot access any internal computers (except in DMZ and as
stated in other requirements).
Staff and students can access websites in the Internet.
The SSH server in the DMZ can only be accessed by external Internet users from
subnets: 31.13.75.0/24 and 23.63.9.0/24.

Considering the above information, answer the following questions:

(a) Draw a diagram illustrating the network. Although there may be many computers in
the staff and student subnets, for simplicity you only have to draw three computers in
the staff subnet and three computers in the student subnet. Label all computers and
router interfaces with IP addresses. [3 marks]

Advanced Network Security Page 2 of 8

COIT20262 Assignment 2 Term 2, 2017

(b) Specify the firewall rules using the format as in the table below. You may add/remove
rows as needed. After the table, add an explanation of the rules (why you design the
firewall rules the way you did). [4 marks]
Rule Transport Source Source Dest. Dest. Action
No. IP Port IP Port
1
2
3
4
…

(c) When using iptables as firewall software, you can change the default policy using the
–P option. Explain the two common default policies, and explain the tradeoffs
between the policies. [2 marks]

Marking Scheme
(a) 3 marks if correct network is drawn and labelled. 2 marks if some mistakes in location
of nodes or links, or allocation of addresses. 0 or 1 mark if multiple mistakes.
(b) If all necessary rules are included, and no unnecessary rules are included, you will
receive 4 marks. 0.5 mark will be deducted for an incorrect rule or incorrect
explanation of the rule. 0.5 mark will be deducted for a missing rule. 0.5 mark will be
deducted for a rule that is included but not needed. The explanation will only be
considered if the rules appear wrong or inappropriate.
(c) 2 marks if explanation of both policies is clear and advantages/disadvantages are
given. 1 mark if unclear or one advantage/disadvantage wrong/missing.

Advanced Network Security Page 3 of 8

COIT20262 Assignment 2 Term 2, 2017

Question 2. WiFi Security [8 marks]

Objective: Understanding important challenges with securing WiFi networks
Defense-in-depth is an important principle in network security. Consider you are advising a
company in deploying a WiFi network. You advise them to use all of the following security
mechanisms to provide defense-in-depth. For each mechanism, give a brief description of the
mechanism and how it works, explain the main advantage of the mechanism, and explain the
main disadvantage of the mechanism.
(a) WPA
(b) Using antennas, transmit power and AP positioning to control radio range
(c) RADIUS (or similar) authentication
(d) Manual detection of rogue APs

Marking Scheme
For each part 2 marks:
1 mark if demonstrate a good understanding of the approach with clear and correct
descriptions;
0.5 mark for each correct/clear advantage and disadvantage

Advanced Network Security Page 4 of 8

COIT20262 Assignment 2 Term 2, 2017

Question 3. Access Control [12 marks]

Objective: Understand how Linux passwords and access control operates
For this question you must use virtnet (as used in the workshops) to study Linux access
control and passwords. This assumes you have already setup and are familiar with virtnet.
See Moodle and workshop instructions for information on setting up and using virtnet, and
using Linux access control comments.
Your task is to:
1. Create topology 1 in virtnet
2. Create five new users using realistic usernames. Set the passwords to be different
except for two users (that is, two users have the same password, the other users have
different passwords), however do not use passwords that you use on other systems.
3. View the password information stored for the new users in /etc/passwd and
/etc/shadow. Understand the information stored.
4. Create three new groups named student, teacher, and coord (short for
coordinators). Allocate the users to groups as follows:
o User 1: primary group student
o User 2: primary group student
o User 3: primary group teacher
o User 4: primary group coord, also in teacher
o User 5: primary group is their own (i.e. not in student, teacher or coord).
5. Create the following files and directories for each user. Unless specified, the
files/directories can be any name and can contain any content:
o Both students (User 1 and 2) have directories security, personal and shared
in their home directory. All teachers have read-only access to each students
security directory (and files within). All users have read/write access to each
students shared directory. Only the user can access their personal directory.
o The coordinator (User 4) has directory security, which has two sub-
directories: content and marking. content is read-only by all teachers.
marking is only accessible by the user.
o The remaining teacher (User 3) has directories security and personal.
security is editable by teachers and coordinators, while personal is only
accessible by the user.
o Each directory mentioned above should have at least 1 file in it (the name and
contents of the file doesn't matter).
o Every user (including User 5) has a file in their home directory called
schedule.txt. This file is readable by everyone.
o Both students have a file in their home directory called submit.bash and it is
executable by the user and coordinator.
6. In addition to the access control rules mentioned above, assume:
o Every user has read, write permissions on their own files, and full permissions
on their own directories.
o No other user can access the files/directories of other users.
o If permissions are not covered by the above, then assume the defaults.
o If there are conflicts in the above, then assume the most restrictive permission.

Advanced Network Security Page 5 of 8

COIT20262 Assignment 2 Term 2, 2017

o Use only the basic Linux permissions (see example commands below). Do
NOT use advanced permissions such as with setfacl or getfacl.
7. Test that the access control works by logging in as each user and checking they
can(not) access the specified files/directories.
Answer the following questions after completing the task.
(a) Submit the following files on Moodle [8 marks]:
a. /etc/passwd named as passwd.txt when you submit
b. /etc/shadow as shadow.txt
c. /etc/group as group.txt
d. The output of the following command as files.txt:
sudo sh -c ‘ls -lR /home > /home/network/files.txt’

(b) Explain where and how password information is stored in Linux. You should mention
the files, formats of storing passwords (e.g. what is stored, how is the information
created) and any specific algorithms used. [2 marks]

(c) Explain why it is difficult for an administrator to know if two users use the same
password. [1 mark]

(d) If a malicious user obtains the file(s) where password information is stored, and users
selected long random passwords, then explain why it is difficult for them to find
users’ actual passwords. [1 mark]

Marking Scheme
(a) The files submitted must contain relevant information: 1 mark each for passwd,
shadow and group. 5 marks for file.txt, where marks are allocated based on the
required permission settings.
(b) 2 marks for listing all correct files, formats and algorithms. 0.5 mark will be deducted
for each item missing or wrong.
(c) 1 mark for a clear and correct explantion.
(d) 1 mark for a clear and correct explantion.

Advanced Network Security Page 6 of 8

COIT20262 Assignment 2 Term 2, 2017

Question 4. HTTPS and Certificates [12 marks]

Objective: Learn the steps of deploying a secure web server, as well as the
limitations/challenges of digital certificates
For this question you must use virtnet (as used in the workshops) to study HTTPS and
certificates. This assumes you have already setup and are familiar with virtnet. See Moodle
and workshop instructions for information on setting up and using virtnet, deploying the
website, and testing the website.
Your task is to:
Create topology 5 in virtnet
Deploy the MyUni demo website on the nodes
Setup the webserver to support HTTPS, including obtaining a certificate
certificate.pem. Make sure you use your name or ID in the certificate (e.g. in
the email address field) so that it is unique across the class.
Capture traffic from the web browser on node1 to the web server that includes a
HTTPS session. Save the file as https.pcap.
Test and analyse the HTTPS connection.
Answer the following sub-questions based on above test and analysis.
(a) Submit your certificate certificate.pem and HTTPS traffic capture https.pcap on
Moodle. [6 marks]
(b) Explain how the client obtains the certificate of the web server. [1 mark]
(c) Explain how the client verifies the certificate of the web server, and what pre-
conditions exist such that the verification is possible. [2 marks]
(d) At the bottom of your certificate there should be a field called “Signature Algorithm”,
followed by a multi-line random looking hex value. This value is the signature.
Explain how the signature is generated. Refer to specific algorithms and information
that is used in generating the signature. [2 marks]
(e) In practice, Certificate Authorities must keep their private keys very secure, usually
storing them offline in special hardware devices. Explain an attack a malicious user
could be perform if they could compromise the CA private key. Use your MyUni
website as an example. [1 mark]
Marking Scheme
(a) 3 marks if a correct/unique certificate is submitted; 3 marks if a correct/unique
capture containing HTTPS packets is submitted.
(b) Clear and accurate explanation: 1 mark.
(c) Clear and accurate explanation: 1 mark; explanation of pre-conditions: 1 mark.
(d) All correct information given: 2 marks. Minor mistake: 1 mark. Multiple mistakes: 0
marks.
(e) Clear and accurate explanation: 1 mark.

Advanced Network Security Page 7 of 8

COIT20262 Assignment 2 Term 2, 2017

Question 5. Internet Privacy [9 marks]

Objective: Understand the advantages and disadvantages of Internet privacy technologies,
including VPNs, and learn about advanced techniques (Tor)
Encryption is commonly used to provide data confidentiality in the Internet: when two hosts
communicate, other entities in the path between the two hosts cannot read the data being sent.
However encryption on its own does not privacy of who is communicating. Although the
other entities cannot read the data, they can determine which two hosts are communicating.
Assume you want to have privacy protection while web browsing. Normally, when your
client computer sends a HTTP GET request to a web server, the IP address of both your client
computer (C) and the web server (S) are included in the IP header of the packet. Any
intermediate node on the path between client and server in the Internet can see the values of C
and S, thereby learning who is communicating.
Three common techniques for privacy protection, i.e. hiding both values of C and S from
intermediate nodes, in the Internet are:
(a) Web proxies
(b) VPNs
(c) Tor
For each technique, provide the following:
1. An explanation of the technique (you may refer to the diagram)
2. A diagram showing the addresses learnt by a malicious user if the technique is used.
3. A recommendation of who or what this technique is good for. (Consider the
advantages of the technique compared to the other techniques, and consider the skills
and/or requirements of different users).
4. What a malicious user would need to do to compromise the privacy (i.e. learn both C
and S) if the technique was used.
For your diagrams you may use the following simple view of an Internet path where client C
is communicating using IPv4 with server S. There are n routers on the path. Assume a
malicious user, who wants to know information about who is communicating and when, has
access to one of the routers in the path (router Rm), e.g. they can capture packets on that
router. Note Rm is not directly attached to the subnets of C or S.

You may use the above diagram (or similar a diagram) to illustrate each of the techniques.
Marking Scheme
(a) For each technique: 1 mark for the explanation and diagram; 1 mark for the
recommendation; and 1 mark for how to compromise.

Advanced Network Security Page 8 of 8