Advanced Network Security, Term 1 (COIT20262) Assignment Help

COIT20262 – Advanced Network Security, Term 1, 2024 Assignment 2

Questions

Due date: 11:45 pm Monday 3 June 2024 (Week 13)

Weighting: 40%

Instructions

Attempt all questions.

This is an individual assignment, and it is expected students answer the questions themselves. Discussion of approaches to solving questions is allowed (and encouraged), however each student should develop and write-up their own answers. See CQ University resources on Referencing and Plagiarism. Guidelines for this assignment include:

∙ Do not exchange files (reports, captures, diagrams) with other students. ∙ Complete tasks with virtnet yourself – do not use results from another student. ∙ Draw your own diagrams. Do not use diagrams from other sources (Internet, textbooks) or from other students.

∙ Write your own explanations. In some cases, students may arrive at the same numerical answer, however their explanation of the answer should always be their own. ∙ Do not copy text from websites or textbooks. During research you should read and understand what others have written, and then write in your own words. ∙ Perform the tasks using the correct values listed in the question and using the correct file names.

File Names and Parameters

Where you see [StudentID] in the text, replace it with your actual student ID. If your student ID contains a letter (e.g. “s1234567”), make sure the letter is in lowercase.

Where you see [FirstName] in the text, replace it with your actual first name. If you do not have a first name, then use your last name. Do NOT include any spaces or other non alphabetical characters (e.g. “-“).

Submission

Submit two files on Moodle only:

1. The report, based on the answer template, called [StudentID]-report.docx. 2. Submit the packet capture [StudentID]-https.pcap on Moodle

Marking Scheme

A separate spreadsheet lists the detailed marking criteria.

Virtnet

Questions 1 and 3 require you to use virtnet topology 5. The questions are related, so you must use the same nodes for all three questions.

∙ node1: client; assumed to be external from the perspective of the firewall.

COIT20262 Assignment 2 Questions Term 1, 2024

∙ node2: router; gateway between the internal network and external network. Also runs the firewall.

∙ node3: server; assumed to be internal from the perspective of the firewall. Runs a web server with HTTPS and a SSH server for external users (e.g. on node1) to login to. Will contain accounts for multiple users.

Question 1. HTTPS and Certificates [10]

For this question you must use virtnet (as used in the Tutorials) to study HTTPS and certificates. This assumes you have already setup and are familiar with virtnet. See Moodle and workshop instructions for information on setting up and using virtnet, deploying the website, and testing the website.

Your task is to setup a web server that supports HTTPS. The tasks and sub-questions are grouped into multiple phases.

Phase 1: Setup

1. Ensure your MyUni grading system, including new student user and domain of are setup. See the instructions in Assignment 1. You can continue to use the setup from Assignment 1.

Phase 2: Certificate Creation

1. Using [StudentID]-keypair.pem from Assignment 1, create a Certificate Signing Request called [StudentID]-csr.pem. The CSR must contain thesefield values:

o State: state of your campus

o Locality: city of your campus

o Organisation Name: your full name

o Common Name: www.[StudentID].edu

o Email address: your @cqumail address

o Other field values must be selected appropriately.

2. Now you will change role to be a CA. A different public/private key pair has beencreated for your CA as [StudentID]-ca-keypair.pem. As the CA you must:

3. Setup the files/directories for a demoCA

4. Create a self-signed certificate for the CA called [StudentID]-ca-cert.pem.

5. Using the CSR from step 1 issue a certificate for www.[StudentID].edu called [StudentID]-cert.pem.

Phase 3: HTTPs Configuration

1. Configure Apache web server on node3 to use HTTPS where the domain name www.[StudentID].edu

2. Load the CA certificate into the client on node1.

Phase 4: Testing

1. Start capturing on node2 using tcpdump.

2. On node1, use lynx to visit https://www.[StudentID].edu/grades/ and login to view some grades.

3. Demonstrate to your tutor that your secure website is operating correctly. [4 marks]

4. Stop the capturing and save the file as [StudentID]-https.pcap.

When capturing, make sure you capture a full HTTPS session, and avoiding capturing multiple sessions.

For on-campus students: Step 3 of above should be demonstrated in your allocated Week 9, 10, 11 or Week 12 tutorial class. Your local tutor will be informed you when your demonstration is passed.

For distance students: Unit Coordinator will organise a time for you to demonstrate step 3.

Phase 5: Analysis

(a) Demonstration of secure web site [4 marks]

(b) Submit the following packet capture [StudentID]-https.pcap on Moodle [0.5 marks]

(c) Draw a message sequence diagram that illustrates the TLS/SSL packets belonging to the first HTTPS session in the file. Refer to the instructions in assignment 1 for drawing a message sequence diagram, as well as these additional requirements:

∙ Only draw the TLS/SSL packets; do not draw the 3-way handshake, TCP ACKs or connection close. Hint: identify which packets belong to the first TCP connection and then filter with “ssl” in Wireshark. Depending on your Wireshark version, the protocol may show as “TLSv1.2”.

∙ A single TCP packet may contain one or more SSL messages (in Wireshark look inside the packet for each “Record Layer” entry to find the SSL message names). Make sure you draw each SSL message. If a TCP packet contains multiple SSL messages, then draw multiple arrows, one for each SSL message, and clearly label each with SSL message name.

∙ Clearly mark which packets/messages are encrypted. [2.5 marks]

(d) Explain how an attacker may exploit users accessing https://www.[StudentID].edu/grades/ if they obtained [StudentID]-ca keypair.pem.You must describe the attack in full, including the steps the attacker would take and how the users’ or data would be compromised. [3 marks]

Question 2. Attack Detection from Real Intrusion Dataset [7 marks]

For this question you need to implement three classifiers to identify attack and normal behaviour from the UNSW-NB15 intrusion dataset. You are required to read the data from training set (175,341records) and test set (82,332 records).

You are required to implement it by using the publicly available machine learning software WEKA.

For this task you will need two files available on Moodle:

∙ training.arff and test.arff.

You need to perform the following steps:

∙ Import training data.

∙ For each classifier:

– Select an appropriate classifier

– Specify test option

– Supply test data set

– Evaluate the classifier.

You need to repeat for at least 3 classifiers, and eventually select the results from the best 2 classifiers.

You need to include in your report the following:

(a) Screenshot of the performance details for 3 classifiers [1.5 marks]

(b) Compare the results of the selected best 2 classifiers, evaluating with the metrics: Accuracy, precision, recall, F1-Score and false positive rate. [2 marks]

Reflection:

(d) In the UNSW-NB15 dataset, there are nine types of network attacks available. Among these nine attacks which two attacks are highly detected by the classifiers? Please give a short explanation of these two attacks. [2 marks]

Question 3. WiFi Security, and Authentication [10 marks]

You are tasked with designing a network upgrade for a local business. The business currently has a wired network (Ethernet LAN) across three floors of their office building, connecting approximately 40 desktop computers, several servers and 10’s of other devices (e.g. printers, payment terminals, machinery). There are currently 70 full-time and part-time employees, some working in the office while others are outside or in an external workshop. The network and servers are currently setup with a centralised authentication server, e.g. a user can login with their username/password from any computer on the network. The network upgrade has two main components:

∙ A wireless LAN to allow all employees access to the internal network from within the office, outside and in the workshop. Customers of the business may also be granted guest access to the wireless LAN. The wireless LAN will most likely need more than 15 APs and have 100 to 150 clients.

∙ A VPN to allow selected employees to access the internal network from home or when visiting customers at other locations.

The business has one IT employee who is capable with computer networking (e.g. they previously setup the wired LAN), but has little knowledge of security. Answer the following questions assuming that you are explaining to the IT employee (as they need to build the network).

(a) Draw a network diagram that illustrates the wired network, wireless network, and VPN. You should not draw all users and devices; only draw a sample of the users and devices. For example, several switches, several APs, several wired computers, several WiFi users, 1 or 2 VPN external users. (Several may be 2 to 5). Also, clearly indicate which portions of the network have data encrypted due to either WiFi encryption or the VPN (for example, mark those paths that have encryption in red or some other clear label). [2 marks]

Now consider the wireless LAN security mechanisms that may be considered as options.

(b) A simple setup to provide authentication and encryption would be to use WPA2 Personal. Explain to the IT employee what they would need to do to setup WPA2 Personal on APs and employee computers (including mobile phones). [2 marks]

(c) WPA2 typically uses AES128 or AES256. Assuming AES128, explain to the IT employee the difference between the following key/password selection schemes with respect to security and convenience:

• Random 128 bit binary value

• Random 16 digit hex value

• Random 12 character string, where the character set is: uppercase English, lowercase English, digits 0 to 9, and the 10 characters , . / ? [ ] { } ( ) [2 marks]

Now consider the centralised authentication server used in the business, which uses Linux based authentication. The IT employee has informed you that a past employee (who has since left the business) most likely stole a copy of the /etc/passwd and /etc/shadow file from the authentication server. They told you the system used MD5 without a salt.

(d) Explain to the IT employee how the past employee could find the password of the Manager of the business from the stolen files. Refer to the specific files and information

in those files, and give the steps of what the past employee would do. [2 marks] (e) Recommend to the IT employee a more secure method for password storage in Linux, referring to specific algorithms and/or data to be stored. Explain why it is more secure. [2 marks]

Question 4. Firewalls and iptables [8 marks]

Consider the scenario from Question 3. Your task is to protect the organisations’ network using a single iptables-based packet filtering firewall that supports SPI.

(a) Explain where you would locate the firewall, and justify that location. [1 mark] (b) Assuming the firewall can be correctly configured to meet the security policy, discuss the weaknesses/limitations of using the firewall in the location you selected. Give examples of threats that highlight the weaknesses/limitations. [3 marks] (c) Design a set of firewall rules for the organisation. For each rule, give a short justification for that rule. [2 marks]

(d) Implement the firewall rules in virtnet on node2 in topology 5 using iptables. If there are any rules from your design that you cannot implement in the limited virtnet environment with iptables, then explain why you cannot. Include the iptables rules in your report. [2 marks]

For the virtnet implementation of the firewall on topology 5, you obviously don’t have all internal devices or external devices. node1 is considered external, node3 is internal and node2is the firewall. However, you should create the iptables-based firewall rules to match your design. You will not be able to test all rules, but you can do some basic testing with lynx, ping,netcat etc, between node1 and node3, and then change the IP addresses in those rules to matchyour design.

Maintaining Journal [5 marks]

Whenever you perform tasks, you should be recording important information in your online journal. This may include notes, commands you have run, parts of files you edited, and screenshots. You will be marked on how well you have maintained your journal (including technical depth) and how accurately it captures your tutorial and assignment practical activitiesfrom Week 6 to Week 10. Your online journal may be also referred to when marking your submission. For example, if the marker sees two student submissions with very similar answers, they may refer to the journal to review the entries that indicate that both students performed the tasks independently.

To gain the full5 marks, your journal at least hasto contain evidence on the following practical tasks:

– Firewalls (week 6)

– Authentication (week 7)

– Access control (week 8)

– Wireless security (week 10)

The following list of pertinent courses includes some of the topics that knowledgeable and experienced teachers at Gradespire specifically address: