COIT20262 Network Security: Design Packet Filtering Firewall Rules
Questions:
1. Firewalls
Objective: be able to design packet filtering firewall rules and identify advantages/disadvantages of such firewalls
An educational institute has a single router, referred to as the gateway router, connecting its internal network to the Internet. The institute has the public address range 138.77.0.0/16 and the gateway router has address 138.77.178.1 on its external interface (referred to as interface ifext). The internal network consists of four subnets:
A DMZ, which is attached to interface ifdmz of the gateway router and uses address range 138.77.179.0/24.
A small network, referred to as shared, with interface ifint of the gateway router connected to three other routers, referred to as staff_router, student_router, and research_router. This network has no hosts attached (only four routers) and uses network address 10.3.0.0/16.
A staff subnet, which is for use by staff members only, that is attached to the staff_router router and uses network address 10.3.1.0/24.
A student subnet, which is for use by students only, that is attached to the student_router router and uses network address 10.3.2.0/24.
A research subnet, which is for use by research staff, that is attached to the research_router router and uses network address 10.3.3.0/24.
In summary, there are four routers in the network: the gateway router, and routers for each of the staff, student and research subnets. There are five subnets: DMZ, shared, staff, student, and research.
There are two servers in the DMZ that all can accept requests from the Internet: a web server supporting HTTP and HTTPS, and a SMTP email server. Members of the staff, student and research subnets can access the web server; members of the staff subnet only can access the email server but using IMAP.
The gateway router also runs a stateful packet filtering firewall and performs port address translation. In addition to the DMZ setup as described above, security requirements for the educational institute are:
External Internet users cannot access any internal computers (except in DMZ and as stated in other requirements).
Staff, students and researchers can access websites in the Internet.
The researchers (on the research subnet) run a server for sharing data with selected research partners external to the educational institute. That server provides SSH access and a specialised file transfer protocol using TCP and port 1234 to the partners. The server has internal address 10.3.3.31 and NAT is setup on the gateway router to map the public address 138.77.179.44 to the internal address. Currently there are two partner organisations that can access the server, and they have network addresses: 31.13.75.0/24 and 23.63.9.0/24.
The professor that leads the research staff also wants access to the data sharing server while they are at home. At home that professor uses a commercial ISP that dynamically allocates IP addresses in the range 104.55.0.0/16.
Considering the above information, answer the following questions:
- Draw a diagram illustrating the network. Although there may be many computers in the staff, student and research subnets, for simplicity you only have to draw three computers in the staff subnet, three computers in the student subnet and three computers in the research subnet (one of those in the research subnet should be the data sharing server). Label all computers and router interfaces with IP addresses.
- Specify the firewall rules using the format as in the table below. You may add/remove rows as needed. After the table, add an explanation of the rules (why you design the firewall rules the way you did).
- Consider the rule(s) that allows the professor to access from home. Discuss the limitations, and suggest possible solutions.
2. WiFi Security
Objective: Understanding important challenges with securing WiFi networks
- Explain what a MAC address filter is, and how it can be used as a security mechanism in WiFi. Also explain at least two limitations of using them.
- In WPA-Personal (CCMP), AES is used for encryption. Consider the key size used by AES in WPA-Personal, and the typical passphrase selected by home users. Discuss the differences (e.g. differences in length, character sets, and how the passphrase is converted to a AES key), and discuss a potential brute force attack on WPA-Personal on home deployments.
3. Password Schemes
Objective: Understand what makes a strong password, and the difficulties of using passwords for most users
You are the IT security administrator for an organisation with about 100 users. The users all have office computers (PCs or laptops), but also use other computers for work (such as shared computers, and personal mobile devices). For example, a typical user may use a Windows PC in their office, occasionally use a Windows PC or Mac in a shared space or lab, and regularly use their own Android or iOS phone for work purposes. There is a mix of operating systems on computers and mobile devices.
You are tasked with educating users on passwords, and recommending password management solutions to the organisation. You are considering two options for password management.
Option 1. Educate users to manage their own passwords, while using some technical controls. This option involves recommending policies to management, providing user training, and applying password management rules in various systems (e.g. when passwords are created). Most users will not use password management software in this option.
Option 2. Enforce password management software for all users. This option requires all users to use a single password management application (e.g. LastPass, KeePass, or `wallet’ software).
First considering Option 1, answer the following sub-questions.
- You are planning the user training session. You have already explained to users about password lengths and character sets (e.g. minimum recommended length, types of characters to include). List three (3) other recommendations that you think are the most important for users to be aware of with regards to password usage and management. For each recommendation, explain it in detail (that is, what would you tell users), and give one advantage and one disadvantage of the recommendation. For example:
“Recommendation 1. You should do … . The advantage of doing this is … . But the disadvantage of doing this is … .”. (Note you cannot use the password length and character set as a recommendation – you must choose other recommendations)
- You are designing the technical controls on the password checking system when users register or select a new password. One rule that you have decided to implement is that a password must be at least 8 characters. List three (3) other rules that you think are the most important to be implemented. For each rule, clearly specify the exact conditions, and give one advantage and one disadvantage of the rule. For example: “Rule 1. A password must be at least 8 characters long. The advantage of this rule is … . The disadvantage of this rule is … .”. (Note you cannot use the password length as a rule – you must choose 3 other rules. Also, although you may consider character set as a rule, it can only count as one rule).
Now considering Option 2, answer the following sub-questions.
- Write a short summary of what password management software is, and how it works. This summary is intended for management and users to understand.
- Explain the advantages and disadvantages of a password management application (when compared to not using a password management application).
- Compare a web-based password management solution, such as LastPass, against a standalone password management application, such as KeePass. In your comparison explain the difference between the approaches and the advantages and disadvantages of web-based versus standalone.
- If a standalone password management application is to be used, recommend where the password database(s) for each user should be stored. Explain why you recommend this approach.
4. HTTPS and Certificates
Objective: Learn the steps of deploying a secure web server, as well as the limitations/challenges of digital certificates
For this question you must use virtnet (as used in the workshops) to study HTTPS and certificates. This assumes you have already setup and are familiar with virtnet. See Moodle and workshop instructions for information on setting up and using virtnet, deploying the website, and testing the website.
Your task is to:
Create topology 5 in virtnet
Deploy the MyUni demo website on the nodes
Setup the webserver to support HTTPS, including obtaining a certificate
certificate.pem.
Capture traffic from the web browser on node1 to the web server that includes a HTTPS session. Save the file as https.pcap.
Test and analyse the HTTPS connection.
Answer the following sub-questions based on above test and analysis.
- Submit your certificatepemand HTTPS traffic capture https.pcap on Moodle.
- Draw a message sequence diagram that illustrates the SSL packets belonging to the first TCP connection in the file. Refer to the instructions in assignment 1 for drawing a message sequence diagram, as well as these additional requirements:
Only draw the SSL packets; do not draw the 3-way handshake, TCP ACKs or connection close. Hint: identify which packets belong to the first TCP connection and then filter with “ssl” in Wireshark. Depending on your Wireshark version, the protocol may show as “TLSv1.2”.
A single TCP packet may contain one or more SSL messages (in Wireshark look inside the packet for each “Record Layer” entry to find the SSL message names). Make sure you draw each SSL message. If a TCP packet contains multiple SSL messages, then draw multiple arrows, one for each SSL message, and clearly label each with SSL message name.
Clearly mark which packets/messages are encrypted.
- Based on the capture and your understanding of HTTPS:
- What port number does the web server use with HTTPS?
- What symmetric key cipher was used for encrypting the data?
- What public key cipher was used for exchanging a secret?
- What cipher and what hash algorithm are used in signing the web servers certificate?
- In this task you needed to manually load the CA certificate into the client (lynx web browser). In real networks, this step is not necessary (that is, the web browser user does not have to load the CA certificate – it normally is already loaded). Explain how the web browser already knows the CA certificate and what limitations there are of this approach?
5. Internet Privacy
Objective: Understand the advantages and disadvantages of Internet privacy technologies, including VPNs, and learn about advanced techniques (Tor)
Encryption is commonly used to provide data confidentiality in the Internet: when two hosts communicate, other entities in the path between the two hosts cannot read the data being sent. However encryption on its own does not privacy of who is communicating. Although the other entities cannot read the data, they can determine which two hosts are communicating.
Consider a simple view of an Internet path where client C is communicating using IPv4 with server S. There are n routers on the path. Assume a malicious user, who wants to know information about who is communicating and when, has access to one of the routers in the path (router Rm), e.g. they can capture packets on that router. Note Rm is not directly attached to the subnets of C or S.
- What information can the malicious user learn about who C and S are? Consider both computer addresses and information that may identify the human user (e.g. names, locations), and explain how the malicious user may obtain that information.
- If Network Address Translation (NAT) is used in the subnet for C (but not for S), how does that change your answer to sub-question (a)?
One method for providing privacy in the Internet is using a Virtual Private Network (VPN). Assume client C is using a VPN server which is located on a router in the path between C and S (but not on Rm).
- What information can the malicious user learn about who is communicating when C and S communicate via the VPN server?
- Potential disadvantages of using a VPN server include: reduced performance between C and S; required to trust the VPN server; and VPN server logs may be requested/accessed (by the malicious user). Explain each of these three potential disadvantages.
Onion routing, used in Tor, is another method for providing privacy in the Internet. It is generally consider to provide more privacy than using a VPN. The following sub-questions require you to learn the basics of Tor.
- Explain how Tor (or onion routing) works. Use the scenario of C and S as an example. That is, how would C communicate with S if Tor was used instead of a VPN.
- What are the advantages of Tor compared to VPN?
- What are the disadvantages of Tor computer to VPN?
Answers:
1.
a.
Figure 1: Network Diagram
b.
|
Rule No. |
Transport |
Source IP |
Source Port |
Dest. IP |
Dest. Port |
Action |
|
1 |
TCP |
31.13.75.0/24 |
1234 |
10.3.3.2/24 |
22 |
Allow |
|
2 |
TCP |
23.63.9.0/24 |
1234 |
10.3.3.2/24 |
22 |
Allow |
|
3 |
HTTP/HTTPS |
10.3.3.0/24 |
Any |
138.77.179.2/24 |
80,8080 |
Allow |
|
4 |
HTTP/HTTPS |
10.3.2.0/24 |
Any |
138.77.179.2/24 |
80,8080 |
Allow |
|
5 |
HTTP/HTTPS |
10.3.1.0/24 |
Any |
138.77.179.2/24 |
80,8080 |
Allow |
|
6 |
SMTP |
10.3.1.0/24 |
Any |
138.77.179.2/24 |
25 |
Allow |
Rules Explanations:
- Frist rule allows one of the partners organization to establish the SSH connection and transfer the files using the TCP based connection
- Frist rule allows one of the partners organization to establish the SSH connection and transfer the files using the TCP based connection
- Rule third will allow the traffic from the staff subnet to connect the DMZ for HTTP/HTTPS based packets
- Rule 4 will allow the traffic from the student subnet to connect the DMZ for HTTP/HTTPS based packets
- Rule 5 will allow the traffic from the research subnet to connect the DMZ for HTTP/HTTPS based packets
- Rule 6 will allow the traffic from the research unit to communicate to the DMZ based mail server using the SMTP protocols.
c.
|
Rule No. |
Transport |
Source IP |
Source Port |
Dest. IP |
Dest. Port |
Action |
|
1 |
TCP |
104.55.0.0/16 |
ANY |
138.77.179.2/24 |
ANY |
Allow |
This rule will allow professor with subnet from 104.55.0.0/16 having any IP to access the network DMZ using the TCP protocols.
2.
a). MAC Address Filtering
The MAC filtering is a technique in which the wireless devices are being filtered based on their MAC addresses. It enables the network administrators to specify who is allowed in the network and blocking any other device apart from the list of devices. It is a free service provided by many wireless routers and AP as an inbuilt feature.
What Does a MAC Filter Do and Security?
As the inbuilt feature, it has the capability to either whitelist or blacklist the system on the network based on their MAC address. The configuration can be done further on the allowed systems. The whitelist is better than the blacklist as the systems who are there in whitelist are the ones who are allowed in the system this provides better security than blacklist. The MAC address filtering then matches every device that want to access the network, if the device is not listed then the MAC addressing would block the device from joining the network. (Hassan, & Zhang, 2011)
Limitations of MAC address filter
If there is a new device on the network you need to add the device to the whitelist in order to allow the device to connect to network. The MAC addresses are also needed to be updated, but this updating is needed for any type of device, be it wired or wireless.
The MAC filtering will be useless in case of Hacker Spoofing the MAC addresses that are there on the whitelist in order to connect to the network. To get this information the hackers use the specialized program called as sniffer that intercepts the data flowing over the network and sniff the MAC addresses that are communicating with the devices.
b). How the key is calculated
WPA is the advancement of WEP method that was used to connect to the wireless AP using the pre-shared key. The WPA-PSK came as an advancement of WEP and was supported by many devices, older devices needed a firmware upgrade that allows the older devices to become compatible with WPA. Now for the key, it works with TKIP and AES, for the AES which works on 256-bits key. This key is either in 64 hexadecimal numbers or 8-64 ASCII characters. If we use the ASCII based characters that is being mostly used by home based users, then the 256-bit key is calculated by applying the PBKDF-2 derivation function to derive the key based on the passphrase then SSID is used as the salt and 4096 iterations of HMAC-SHA1 is used. (Hassan, & Zhang, 2011)
Brute Force attack on WPA
As the WEP, the WPA remain susceptible to the cracking attacks. These attacks are much more successful if the password or passphrase chosen is weak. In order to be secure from any of the brute force attack we should have random characters as our password, but since we cannot remember the random keys we use much more stronger keywords which are generally not being found in the dictionary. The length recommended to be safe form brute force attack is 20 characters which are chosen from the 95-allowed character set.
3.
- Recommendations
- The Password should have an expiry date means the password should expire and you should not be able to use the same string in any manner and create a totally random password for the next period. The advantage of this is that new passwords makes the brute force and other similar types of attacks nearly impossible and disadvantage being you need to memorize the newer password every now and then. (Yang, Chu, Li, Petrovic, & Busch, 2014)
- Do not use dictionary or any information in your password, the advantage being hackers would not be able to guess your password using the dictionary and your personal info, the disadvantage being difficult to remember these types of password.
- We should use multi factor algorithm to confirm the user’s identity. The advantage being we are creating additional layer of security over the password but the limitation would be, we need to have the cell phone on which the OTP is going to be received.
b.
- There should be no dictionary words or common phrases
- Advantage: the hacker would not be able to run the dictionary attack and the password is much more secure.
- Disadvantage: the random characters are difficult to manage and memorize hence user can forget them very easily.
- You should not include any personal information in your password like birthdate, birth year, location, favorite band or music etc. As these are personal information being available to everyone over the social media, hence we should refrain from using such information in our password which are easy to guess or obtain.
- Advantage: secure password
- Disadvantage: difficult to remember and build random password that is not that easy.
- Use special character set in your password but Numerals or special characters cannot be used more than once in regular interval
- Advantage: A jumbled password that is very difficult to guess
- Disadvantage: difficult to build a password with such complexity.
- Password Managers
As the password managers take the load off the user to do the productive work rather than to remember the different passwords for the websites. The password manager fills the password randomly when you visit a website for the first time after the authentication of master password being fed into the system. You can configure to fill other details as well like address, email etc. automatically. The password manager generates the random passwords to secure them from any types of attacks. The password manager can help to mitigate the phishing attacks as the password is only revealed on the website for which it has been made else new password creation is prompted hence, making user aware of different URL being used as a phishing attack. (Onno, Neumann, & Heen, 2012)
Password managers are the tools that assist in managing the passwords, the assist include the password generation, password storage and retrieve the password from the database. There are two types of password managers:
- Locally Installed
- Online based services
Based on the password manager installed the services are being provided, like encrypted database, password storage in encrypted format, the password files stored locally or remotely via online file hosting service like Dropbox. The password managers usually require one master password that allows the users to access all the information about all the saved information in the password managers. (Onno, Neumann, & Heen, 2012)
d.
Major Advantages of Password Managers
- The password generated are completely random and difficult to guess by any other software. It does not require any modification to the application to make the password manager to work with it.
- The password is stored as encrypted format in the database that means no one but only you can access the passwords.
- It saves you from leaking out the same passwords being used at every website, this means you can have different passwords generated and can link to single password using the password manager. (Yang, Chu, Li, Petrovic, & Busch, 2014)
Major Disadvantages of Password Managers
- Many passwords save the passwords in plaintext that could be easily read making it vulnerable to hacks. The password files stored locally could be deleted which means you need to reset the password for all the websites again, it is recommended to save the file backup on the remote location.
- The master password if leaked or guessed easily it will open all the doors for the hacker and none of the passwords would remain secured.
- The multi-factor authentication would add an additional layer of security but require another device to receive the OTP to verify the device.
- If password generator works over the Dictionary or uses the weak random passwords in place of cryptographically secured passwords then they would easily hackable.
- Comparing web-based VS standalone Password Managers
LastPass
This is the most used password manager in the world, as per the services, it have all the services that are being found in most of the password managers but the services introduced were either forefront of pioneering or have signification improvements in features than any other competitor in market. The passwords generated are of top quality and are not susceptible to brute force attacks.
The LastPass is a browser extension, it stores the files on the secured location remotely and some of the features works over the offline mode as well. The password database is secure and once downloaded it is decrypted on the device itself, hence no plaintext passwords are being communicated. This feature also allows the user to access the passwords locally without the internet connections. The disadvantage being is dependendency over the internet connection to sync else it will not work.
KeePass
As the security is an issue the people refrain from storing the data online, and storing the passwords on cloud is another challenge to make the user understand the various advantages of this feature.
The KeePass is the right software for such people that not make the strong passwords but store the entire password database locally on the machine on which it is being installed. Though the database of the KeePass can be synced over the internet using the Dropbox feature but this needs the password file to be uploaded on the cloud which is the biggest disadvantage of such system. (Agholor, Sodiya, Akinwale, & Adeniran, 2016)
the Standalone password managers generally store the password locally on the system, in order to sync them we can use two approaches one being the cloud based storage other being the storage in the email backup. Both of them will provide the required security to the database as the standalone password generator would store the files in encrypted format and hashed checked, anything altered or manipulated the file authenticity is failed and is being synced from the local backup and vice versa. (Agholor, Sodiya, Akinwale, & Adeniran, 2016)
4.
After deploying the topology 5 we now setup the node 3 as the myuni website using the command sudo bash ~/virtnet/bin/vn-deployrealmyuni. After this command, the myuni website is installed on the system and is activated but it is not secure.
- attached
b.
c.
- 443
- AES
- RSA
- RSA and SHA-256
- as most of the protocols include the CA certificate and leaf certificate with their respective signatures. This case we only need to know and verify the root certificate that has the valid matching signature, this is how current browsers need not download the CA first to have SSL based connections.
5.
- As the data packets travel from one location to another it contains the IP address of source and destination as well as the physical address. This physical address can be used to get details about the C and S both. With Nmap command to either of the system can get back with the installed operating system on the host machine. Using IPtarce the malicious user can get the entire path to the either of the systems.
- if the NAT traversal is used then malicious user may not be able to get the physical address or the exact address of the C but would be able to get the path to the C using the IPtrace but that would not be as effective as the without NAT case.
- When C and S communicate using the VPN they create the tunnel among them, so anything outside the tunnel doesn’t exists. So if malicious user if captures the packets even then it won’t be able to make any use out of it as the packets are encrypted and malicious user cannot decrypt the packet.
- Reduce Performance: the packet is needed to be encrypted and decrypted at both the ends for the communication over the VPN hence encryption and decryption takes a toll over the performance as lot of time is needed to secure the packets.
Trust over VPN: the VPN is the ultimate secure channel and the trust is necessary so that C and S can communicate without any issues and worries, but if the VPN is being hacked and malicious user would be able to read all the data and VPN won’t make any difference (London Trust Media, 2017)
VPN server logs: the malicious user might request or able to get hold of VPN server logs, these logs contain about all the IP that have communicated with each other hence might lead to leakage of information that have been communicated over the secure channel.
- the main aim of the tor is to separate the routing and identifying properties from each other, this helps in escaping any type of surveillance and traffic analysis by any malicious hacker. It encrypts the packets and bounce the packet over a random path of relays that are being run by volunteers around the globe leading to most secure possible communication as data may even not pass through the Rm malicious router node using the Tor Browser. (London Trust Media, 2017)
- Advantages of Tor Vs VPN
- it doesn’t need to trust any path, all paths are totally random in nature
- your ISP is not able to track your activities so completely anonymous
- more secured compared to VPN as it encrypts the packets and bounce the packet over a random path of relays that are being run by volunteers around the globe leading to most secure possible communication as data may even not pass through the Rm malicious router node using the Tor Browser. (London Trust Media, 2017)
- Disadvantages of Tor Vs VPN
- tor is often blocked by many websites hence you might not be able to browse the website at all.
- Too slow for P2P networking, due to the fact the packets are route from different routes all the time, the P2P becomes lot slower
- No protection from Tor-malicious nodes, the nodes might capture the packet and read and modify as required for further ahead communication or response.
References
Agholor, S., Sodiya, A., Akinwale, A., & Adeniran, O. (2016). A secured Mobile-Based Password Manager. 2016 Sixth International Conference On Digital Information Processing And Communications (ICDIPC). https://dx.doi.org/10.1109/icdipc.2016.7470800
Arash Habibi Lashkari, Mir Mohammad Seyed Danesh, & Samadi, B. (2009). A survey on wireless security protocols (WEP, WPA and WPA2/802.11i). 2009 2Nd IEEE International Conference On Computer Science And Information Technology. https://dx.doi.org/10.1109/iccsit.2009.5234856
Hassan, A., & Zhang, X. (2011). Bypassing web-based wireless authentication systems. 2011 IEEE Long Island Systems, Applications And Technology Conference. https://dx.doi.org/10.1109/lisat.2011.5784246
London Trust Media, I. (2017). Advantages and Disadvantages of Tor vs VPN vs Proxy. Privateinternetaccess.com. Retrieved 29 May 2017, from https://www.privateinternetaccess.com/pages/tor-vpn-proxy
Onno, S., Neumann, C., & Heen, O. (2012). Conciliating remote home network access and MAC-address control. 2012 IEEE International Conference On Consumer Electronics (ICCE). https://dx.doi.org/10.1109/icce.2012.6161758
Shrestha, N., & Posts, V. (2017). 12 Tcpdump Commands - A Network Sniffer Tool. Tecmint.com. Retrieved 29 May 2017, from https://www.tecmint.com/12-tcpdump-commands-a-network-sniffer-tool/
Yang, B., Chu, H., Li, G., Petrovic, S., & Busch, C. (2014). Cloud Password Manager Using Privacy-Preserved Biometrics. 2014 IEEE International Conference On Cloud Engineering. https://dx.doi.org/10.1109/ic2e.2014.91
Buy COIT20262 Network Security: Design Packet Filtering Firewall Rules Answers Online
Talk to our expert to get the help with COIT20262 Network Security: Design Packet Filtering Firewall Rules Answers to complete your assessment on time and boost your grades now
The main aim/motive of the management assignment help services is to get connect with a greater number of students, and effectively help, and support them in getting completing their assignments the students also get find this a wonderful opportunity where they could effectively learn more about their topics, as the experts also have the best team members with them in which all the members effectively support each other to get complete their diploma assignments. They complete the assessments of the students in an appropriate manner and deliver them back to the students before the due date of the assignment so that the students could timely submit this, and can score higher marks. The experts of the assignment help services at urgenthomework.com are so much skilled, capable, talented, and experienced in their field of programming homework help writing assignments, so, for this, they can effectively write the best economics assignment help services.
