Advanced Network Security Assignment | Professional Writing Services

COIT20262 Term 1, 2020
Advanced Network Security Page 1 of 11
COIT20262 – Advanced Network Security, Term 1, 2020
Assignment 2
Due date:
11.45 pm Friday 5 June 2020 (Week 12)
ASSESSMENT
Weighting:
40%
2
Length:
N/A
Instructions
Attempt all questions. Submit the following on Moodle:
 Answers: A Microsoft Word document containing answers to the questions.
 Question 1: [studentID]-keypair.pem, [studentID]-pubkey.pem, [studentID]-message.txt, [studentID]-signature.bin, [studentID]-key.txt, [studentID]-ciphertext.bin, [studentID]-secretkey.bin, [studentID]-commands.bash
 Question 2: [studentID]-csr.pem, [studentID]-ca-cert.pem, [studentID]-cert.pem, [studentID]-https.pcap
This is an individual assignment, and it is expected students answer the questions themselves. Discussion of approaches to solving questions is allowed (and encouraged), however each student should develop and write-up their own answers. See CQUniversity resources on Referencing and Plagiarism. Guidelines for this assignment include:
 Do not exchange files (reports, captures, diagrams) with other students.
 Complete tasks with virtnet yourself – do not use results from another student.
 Draw your own diagrams. Do not use diagrams from other sources (Internet, textbooks) or from other students.
 Write your own explanations. In some cases, students may arrive at the same numerical answer, however their explanation of the answer should always be their own.
 Do not copy text from websites or textbooks. During research you should read and understand what others have written, and then write in your own words.
Marking Scheme
 Each sub-question is allocated marks in [square brackets].
 Questions which require a specific answer will be marked on correctness.
 Questions which require explanations will be marked on correctness, depth and clarity of the answer. To receive full marks, the explanation must be correct, must include significant depth to demonstrate understanding of the topic (but does not include irrelevant information), and must be clear to the intended audience. Unless otherwise stated, assume the audience has a background similar to Master of IT students that have successfully completed 1st year of study.
 Questions which require diagrams will be marked on the correctness and clarity of the diagram.
 Submitted files will be marked on correctness of the information included.
COIT20262 Term 1, 2020
Advanced Network Security Page 2 of 11
Question 1. Cryptographic Operations with OpenSSL [8 marks]
Your task is to use OpenSSL to perform a set of cryptographic operations. When performing cryptographic operations you must be very careful, as a small mistake (such as a typo) may mean the result is an insecure system. Read the instructions carefully, understand the examples, and where possible, test your approach (e.g. if you encrypt a file, test it by decrypting it and comparing the original to the decrypted). It is recommended you use virtnet to perform the operations.
Perform the following steps:
(a) For all the following steps, record the command(s) you used in a file called [studentID]-commands.bash. This file should be a Bash shell script, containing only commands that can be executed and optionally comments (starting with # character).
(b) Generate your own RSA 2048-bit key pair. Use the public exponent of 65537. Save your key pair as [studentID]-keypair.pem.
(c) Extract your public key and save it as [studentID]-pubkey.pem.
(d) Create a text file called [studentID]-message.txt and include your student ID and full name inside the file. This file is referred to as the message or plaintext.
(e) Sign your message file using SHA256, saving the signature as [studentID]-signature.bin.
(f) Generate a 128 bit random value using OpenSSL. This value will be used as a secret key. Store the key as a 32 hex digit string in a file [studentID]-key.txt.
(g) Encrypt your message file using AES-128-CBC and the key generated in step (f). Use an IV of all 0’s (that is, 32 hex 0’s). Save the ciphertext as [studentID]-ciphertext.bin.
(h) Encrypt your [studentID]-key.txt file using RSA so that only the Unit Coordinator can view the contents. Save the encrypted key as [studentID]-secretkey.bin.
Multiple files are output from the above steps. You must submit the following files on Moodle:
 [studentID]-keypair.pem
 [studentID]-pubkey.pem
 [studentID]-message.txt
 [studentID]-signature.bin
 [studentID]-key.txt
 [studentID]-ciphertext.bin
 [studentID]-secretkey.bin
 [studentID]-commands.bash
The file names must be exactly as listed above (replacing [studentID] with your actually student ID, e.g. 12345678-keypair.pem). Use lowercase for all files and double-check the extensions (be careful that Windows doesn’t change the extension).
Examples of the OpenSSL operations needed to complete this task are on Moodle.
COIT20262 Term 1, 2020
Advanced Network Security Page 3 of 11
Marking Scheme
Once files are submitted, they will be decrypted/verified using the reverse operations of what you were expected to do.
 If your files successfully decrypt/verify, and the commands ([studentID]-commands.bash) submitted are correct, then you will receive 8 marks.
 If your files successfully decrypt/verify, but the commands contain errors, then you will receive between 5 and 7 marks, depending on the severity of the errors (e.g. small typo vs wrong command).
 If your files do NOT successfully decrypt/verify, then your commands will be reviewed to determine what mistakes you made. You will receive between 0 and 6 marks, depending on the severity of the errors.
Up to 5 marks may be deducted for incorrect submissions (e.g. not all files submitted, additional files submitted, wrong files submitted, wrong filenames).
COIT20262 Term 1, 2020
Advanced Network Security Page 4 of 11
Question 2. HTTPS and Certificates [15 marks]
For this question you must use virtnet (as used in the workshops) to study HTTPS and certificates. This assumes you have already setup and are familiar with virtnet. See Moodle and workshop instructions for information on setting up and using virtnet, deploying the website, and testing the website.
Your task is to setup a web server that supports HTTPS. The tasks and sub-questions are grouped into multiple phases.
Phase 1: Setup Topology
1. Create topology 5 in virtnet.
2. Deploy the MyUni demo website, with node3 being the real web server.
Phase 2: Certificate Creation
1. Use your RSA key pair from Question 1 to generate a Certificate Signing Request called [StudentID]-csr.pem. The CSR must contain these field values:
 State: state of your campus
 Locality: city of your campus
 Organisation Name: your full name
 Common Name: www.myuni.edu
 Email address: your @cqumail address
 Other field values must be selected appropriately.
Now you will change role to be a CA. A different public/private key pair has been created for your CA as [StudentID]-ca-keypair.pem. As the CA you must:
2. Setup the files/directories for a demoCA
3. Create a self-signed certificate for the CA called [StudentID]-ca-cert.pem.
4. Using the CSR from step 1 issue a certificate for www.myuni.edu called [StudentID]-cert.pem.
Phase 3: HTTPs Configuration
1. Configure Apache web server on node3 to use HTTPS where the domain name is www.myuni.edu.
2. Load the CA certificate into the client on node1.
Phase 4: Testing
1. Start capturing on node2 using tcpdump.
2. On node1, use lynx to visit https://www.myuni.edu/grades/ and login to view some grades.
COIT20262 Term 1, 2020
Advanced Network Security Page 5 of 11
3. Demonstrate to your tutor that your secure website is operating correctly. [4 marks]
4. Exit lynx.
5. Stop the capturing and save the file as [StudentID]-https.pcap.
When capturing, make sure you capture a full HTTPS session, and avoiding capturing multiple sessions.
For on-campus students: Step 3 of above should be demonstrated in your allocated Week 9, 10, 11 or Week 12 tutorial class. Your local tutor will be informed you when your demonstration is passed.
For distance students: Unit Coordinator will organise a time for you to demonstrate step 3.
Phase 5: Analysis
(a) Demonstration of secure web site [4 marks]
(b) Submit the following files on Moodle. Each will be analysed to ensure they include correct information (e.g. values specific to you).
 Submit the CSR [StudentID]-csr.pem. [0.25 mark]
 Submit the CA self-signed certificate [StudentID]-ca-cert.pem. [0.25 mark]
 Submit the issued certificate [StudentID]-cert.pem. [0.25 mark]
 Submit the packet capture [StudentID]-https.pcap. [0.25 mark]
(c) Draw a message sequence diagram that illustrates the TLS/SSL packets belonging to the first HTTPS session in the file. Refer to the instructions in assignment 1 for drawing a message sequence diagram, as well as these additional requirements:
 Only draw the TLS/SSL packets; do not draw the 3-way handshake, TCP ACKs or connection close. Hint: identify which packets belong to the first TCP connection and then filter with “ssl” in Wireshark. Depending on your Wireshark version, the protocol may show as “TLSv1.2”.
 A single TCP packet may contain one or more SSL messages (in Wireshark look inside the packet for each “Record Layer” entry to find the SSL message names). Make sure you draw each SSL message. If a TCP packet contains multiple SSL messages, then draw multiple arrows, one for each SSL message, and clearly label each with SSL message name.
 Clearly mark which packets/messages are encrypted. [3 marks]
(d) Based on your certificate and the capture, write answers to the following questions in the table. When giving algorithms, you may use the abbreviation but must accurately identify the variant. For example, AES128 is different from AES256, and SHA256 is different from SHA512. [4 marks, 0.5 mark each]
How many bytes is the hash value in the certificate signature?
What hash algorithm is used to generate the certificate signature?
COIT20262 Term 1, 2020
Advanced Network Security Page 6 of 11
What encryption algorithm is used to generate the certificate signature?
How many bytes is the public key modulus in the certificate?
In the TLS cipher suite used between client and server, what algorithm is used for:
– Encrypting session data?
– Hashing for the MAC?
– Key exchange?
How many bytes of random data are sent from the client to server at the start of the handshake?
(e) In practice, some Certificate Authorities use self-signed certificates, while others have their certificate signed by another CA. Explain why self-signed certificates are needed by CAs, as well as the benefits of one CA sign another CA’s certificate. [2 marks]
(f) In practice, Certificate Authorities must keep their private keys very secure, usually storing them offline in special hardware devices. Explain an attack a malicious user could be perform if they could compromise the CA private key. Use your MyUni website as an example. [1 mark]
COIT20262 Term 1, 2020
Advanced Network Security Page 7 of 11
Question 3. Access Control and Authentication [7 marks]
TechSolution is a small IT security service provider which is expected to have around 50 employees over the next few years. The employees are classified into the following roles:
 CEO
 Executive Group (including CEO and other employees in leadership positions, e.g. Manager of the Software Engineering team)
 Software Engineering
 Graphic Design
 Web Development
 IT Administration
 Sales and Marketing
 Human Resources
 Finance
Some employees may take on multiple roles, e.g. an employee may be both in Software Engineering and Web Development.
The key data resources of the company are classified as:
 Web Content
 Source Code (e.g. for non-web software)
 Multimedia Assets (e.g. images, videos, artwork)
 Trade Secrets (e.g. algorithms, formulas that give the company a significant commercial advantage over competitors)
 Financial Accounts
 Personnel Records
 Marketing Material
 Company Policies
 Meeting Records
Assume role-based access control is to be used for users in different roles to access the above listed resources. The access rights are:
 Own: can change the access rights on the resource
 Read: can view the resource
 Write: can create, delete and modify the resource
Consider you are responsible for IT security of TechSolution and answer the below questions.
(a) Create a table that shows the mappings from Role to Resource. Provide a brief explanation of why you choose this particular mapping. [3 marks]
The company has many trade secrets, some of which are very valuable and known only by the Executive Group (e.g. it would be a significant financial loss if a competing company knew them), some are also know by Software Engineers that implement the algorithms, while other
COIT20262 Term 1, 2020
Advanced Network Security Page 8 of 11
trade secrets are important but known by a wider number of employees. The CEO has asked you to consider implementing Mandatory Access Control on the trade secrets.
(b) Explain how you could apply MAC to the trade secrets, including the levels you would use and the assignment of roles to security clearance levels. [1 marks]
The company is planning to use only passwords as the authentication mechanism for access computing systems. There will be no token-based or biometric authentication.
(c) Write a password policy for the company. The policy must give rules for how new users are registered with the systems, as well as how existing users change their passwords (including forgotten or wrong passwords). Each rule in the policy must be classified as “must” (it is required), “should” (it is required unless there is a good reason for not applying it), or “may” (optional). Each rule be justified/explained. The policy must make a reasonable trade-off between security and convenience. For example, “All users must use a 30 character random password” is a poor policy design (too inconvenient), as is “All users must use their last name as a password” (too insecure). [3 marks]
COIT20262 Term 1, 2020
Advanced Network Security Page 9 of 11
Question 4. Firewalls [6 marks]
An educational institute has a single router, referred to as the gateway router, connecting its internal network to the Internet. The institute has the public address range 138.53.0.0/16 and the gateway router has address 138.53.178.1 on its external interface (referred to as interface ifext). The internal network consists of four subnets:
 A DMZ, which is attached to interface ifdmz of the gateway router and uses address range 138.53.179.0/24.
 A small network, referred to as shared, with interface ifint of the gateway router connected to three other routers, referred to as staff_router, student_router, and research_router. This network has no hosts attached (only four routers) and uses network address 10.4.0.0/16.
 A staff subnet, which is for use by staff members only, that is attached to the staff_router router and uses network address 10.4.1.0/24.
 A student subnet, which is for use by students only, that is attached to the student_router router and uses network address 10.4.2.0/24.
 A research subnet, which is for use by research staff, that is attached to the research_router router and uses network address 10.4.3.0/24.
In summary, there are four routers in the network: the gateway router, and routers for each of the staff, student and research subnets. There are five subnets: DMZ, shared, staff, student, and research.
There are two servers in the DMZ that all can accept requests from the Internet: a web server supporting HTTP and HTTPS, and a SMTP email server. Members of the staff, student and research subnets can access the web server; members of the staff subnet only can access the email server but using IMAP.
The gateway router also runs a stateful packet filtering firewall and performs port address translation. In addition to the DMZ setup as described above, security requirements for the educational institute are:
 External Internet users cannot access any internal computers (except in DMZ and as stated in other requirements).
 Staff, students and researchers can access websites in the Internet.
 The researchers (on the research subnet) run a server for sharing data with selected research partners external to the educational institute. That server provides SSH access and a specialised file transfer protocol using TCP and port 6789 to the partners. The server has internal address 10.4.3.31 and NAT is setup on the gateway router to map the public address 138.53.179.44 to the internal address. Currently there are two partner organisations that can access the server, and they have network addresses: 31.13.75.0/24 and 104.55.9.0/24.
 The professor that leads the research staff also wants access to the data sharing server while they are at home. At home that professor uses a commercial ISP that dynamically allocates IP addresses in the range 23.63.0.0/16.
Considering the above information, answer the following questions:
COIT20262 Term 1, 2020
Advanced Network Security Page 10 of 11
(a) Specify the firewall rules using the format as in the table below. Describe the effect of each rule. [3 marks]
Rule No.
Source Address
Source Port
Dest. Address
Dest. Port
Action
1
2
3
4

(b) Where should firewall(s) be placed in the above network? Justify your answer. [1 mark]
(c) In the above scenario there are two servers in the DMZ: a web server, and a SMTP email server. Explain how DMZ works, and also explain the advantages and disadvantages of using DMZ in the above network. [2 marks]
COIT20262 Term 1, 2020
Advanced Network Security Page 11 of 11
Question 5. Internet Privacy Protection [4 marks]
Encryption is commonly used to provide data confidentiality in the Internet: when two hosts communicate, other entities in the path between the two hosts cannot read the data being sent. However, encryption on its own does not privacy of who is communicating. Although the other entities cannot read the data, they can determine which two hosts are communicating.
Assume you want to have privacy protection while web browsing. Normally, when your client computer sends a HTTP GET request to a web server, the IP address of both your client computer (C) and the web server (S) are included in the IP header of the packet. Any intermediate node on the path between client and server in the Internet can see the values of C and S, thereby learning who is communicating.
Three common techniques for privacy protection, i.e. hiding both values of C and S from intermediate nodes, in the Internet are:
 VPNs
 Web proxies
 Tor
(a) Explain how a web proxy works. Your explanation should include what a user needs to do when using a web proxy, what security it provides, and what are the security and convenience limitations. [2 marks]
(b) Explain the benefits and limitations of a user gains by using a VPN, compared to a web proxy. [2 marks]

 

Don't use plagiarized sources. Get Your Custom Essay on
Advanced Network Security Assignment | Professional Writing Services
Just from $13/Page
Order Essay

COIT20262 – Advanced Network Security, Term 1, 2020

Assignment 2 Submission

Due date: 11.45 pm Friday 5 June 2020 (Week 12) ASSESSMENT
Weighting: 40% 2
Length: N/A

 

Student Name:                        enter your name

Student ID:                 id

Campus:                      campus

Tutor:                          tutor

 

 

 

 

 

Question 1.  Cryptographic Operations with OpenSSL

 

Need to submit files on Moodle

 

Question 2.  HTTPS and Certificates

 

Part (a)

Demonstrate your work to your tutor

Part (b)

Need to submit files on Moodle

Part (c)

Draw a message sequence diagram here

Part (d)

Write your answer here (Fill the table)

Part (e)

Write your answer here

Part (f)

Write your answer here

 

Question 3.  Access Control and Authentication

 

Part (a)

Write your answer here

Part (b)

Write your answer here

Part (c)

Write your answer here

 

 

 

Question 4.  Firewalls

 

Part (a)

Write your answer here

 

Part (b)

Write your answer here

 

Part (c)

Write your answer here

 

 

 

 

 

 

Question 5.  Internet Privacy Protection

Part (a)

Write your answer here

 

Part (b)

Write your answer here

 

 

Q P Description Max Score Comments MarkingScheme
1 a All correct files submitted 1 See openssl-log.txt file for automatic marking results
1 b Commands work correctly 5 See openssl-log.txt file for automatic marking results
1 c Commands.bash 2 2: Commands included and mostly correct
1: 2 or 3 errors or 1 or 2 missing comments
0: Multiple errors or missing commands
1 Question total 8 0
2 a Demonstration of secure website 4 4: Working perfectly
3: Working with minor issue
2: Not working properly
1: Major issue
0: Not demonstrated
b Correct files submitted 1 See https-log.txt file for automatic marking results
2 c Message sequence diagram 3 3: All packets clearly shown
2: Minor formatting issues
1: Some mistakes or missing packets
0: Many mistakes or missing packets
2 d Bytes 0.5 8 Bytes
2 d Hash algorithm 0.5 SHA256
2 d Encryption algorithm 0.5 RSA
2 d Modulos 0.5 256 Bytes
2 d TLS Encrypting 0.5 AES256
2 d Hashing MAC 0.5 SHA384
2 d Key exchange 0.5 Diffie Hellman or ECDHE or similar
2 d Random bytes 0.5 28 Bytes
2 e CA Self-signed 2 2: explanation clear and correct AND benefit clear and correct
1: explanation or benefit is not both clear and correct
0: neither clear and correct
2 f Attack 1 1: correct, enough detail and clear
0: incorrect, or both missing details and unclear
2 Question total 15 0
3 a RBAC table: format. 1.5 1.5: Tablet structured correctly, containing correct values in the cells.
1: Structured but coorect value missing
0: Incorrect
3 a RBAC table: design. The mappings selected must be reasonable for the scenario, with appropriate justification in the explanation. 1.5 1.5: The mappings selected reasonable for the scenario, with appropriate justification in the explanation.
1: Reasonable but not clear
0: Incorrect
3 b MAC explanation. 1 1: Levels and assignments are appropriate.
0: Incorrect
3 c Password policy considers relevant aspects of choosing new passwords. 1 1: Correct
0: incorrect, unclear
3 c Password policy considers relevant aspects of updating passwords 1 1:Correct
0:Incorrcet, unclear
3 c Password policy is not too inconvenient and not too insecure 1 1: Correct
0: incorrect, unclear0
3 Question total 7 0
4 a Firewall rules 3 3: All rules correct and no unnecessary rules
Deduct 1 mark for a incorrect rule, explanation, missing rule or unnecessary rule
Only consider explanation if rule is wrong
b Firewall location 1 1: clear explanation and justification
0.5: either explanation or justification unclear
0: both unclear
4 c DMZ 2 2: clear explanation, pros and cons
1: either explanation or pros/cons unclear
0: both unclear
4 Question total 6 0
5 a Web proxy: how it works. Clear, correct. 1 1: Clear and correct
0.5: Details missing
0: Incorrect
5 a Web proxy: security it provides and limitations 1 1: Clear and correct
0.5: Details missing
0: Incorrect
5 b VPN vs proxy: benefits,  limitations 1 1: Clear and correct
0.5: Details missing
0: Incorrect
5 b VPN security and convenience weaknesses 1 1: Clear and correct
0.5: Details missing
0: Incorrect
5 Question total 4 0
Assignment sub-total 40 0
Files in wrong format e.g. zip or many wrong names 0 0
Days late (part of) 0 0
Late penalty (2.5 per day) 0 0
Assignment total 40 0

Place Order
Grab A 14% Discount on This Paper
Pages (550 words)
Approximate price: -
Paper format
  • 275 words per page
  • 12 pt Arial/Times New Roman
  • Double line spacing
  • Any citation style (APA, MLA, Chicago/Turabian, Harvard)

Try it now!

Grab A 14% Discount on This Paper

Total price:
$0.00

How it works?

Follow these simple steps to get your paper done

Place your order

Fill in the order form and provide all details of your assignment.

Proceed with the payment

Choose the payment system that suits you most.

Receive the final file

Once your paper is ready, we will email it to you.