COIT20262 – Advanced Network Security, Term 2, 2016
Due date: 5pm Friday 7th October 2016 (Week 12) ASSESSMENT
Length: N/A 2
Note: Attempt all questions
Your assignment must be in Microsoft Word format, and must be submitted electronically by the due date via the Moodle website
Question 1 – Cryptographic Operations with GPG [10 marks]
Objective: gain experience with using software to perform common cryptographic operations.
There are many different software (and hardware) implementations of cryptographic operations. GNU Privacy Guard (GPG) is one such piece of software, which focusses on a simple, open source implementation of common public key operations (but also includes symmetric key encryption). In this task you must use GPG to perform some common operations to communicate securely with the course coordinator.
GPG is available for most operating systems. You will need to install it on your computer to complete this task. Chapter 1 of the GNU Privacy Handbook provides examples of using most of the commands needed for this task. Others may be found in the ‘man’ or help page for the command once installed.
Scenario: you want to send a message to the course coordinator. You will do that by submitting a file on Moodle. But you want the communications to be secure (you don’t even trust other staff that can also access Moodle submissions). You will use symmetric key cryptography to encrypt the message. But the problem with symmetric key cryptography is that a shared secret key must be exchanged somehow. A common solution is to encrypt the shared secret key using public key cryptography. So in fact you will send two pieces of information to the course coordinator (although in one file): a message and the shared secret key. The course coordinator wants to be sure the message they receive came from you, therefore you will also sign the message. This assumes you know the course coordinators public key, which is available on Moodle. In the following instructions when you see id in a filename, replace it with your student ID. For example, if your student ID is s123456, then the message file will be called s123456message.txt. Similarly, replace the example names, IDs, emails with yours.
a) Create the message by putting the following inside a text file named id-message.txt:
Name: include your name here
ID: include your ID here Email: include your email here Message:
Write one or more paragraphs that explain which software used in the assignments is the hardest to use, and why. This is not assessed but is useful feedback.
b) Create a shared secret key by generating a 12 byte random value encoded as base64.
Put the 16 character base64 value in a file called id-sharedsecret.txt. Hint: use gpg to generate the random bytes, and include the --armor option to encode as base64.
c) Generate your own RSA 2048-bit key pair. Include your name and CQU email address when prompted. For simplicity in this assignment, do not use a passphrase on your key (if you do, make sure you remember it).
d) Export your public key and save it to a text file called id-publickey.txt. Use the -armor option to generate a text based public key.
e) Create a detached signature of the message, saving that signature as id-message.sig.
f) Combine the message (id-message.txt) and signature (id-message.sig) into a single file called id-signedmessage.zip) using ZIP. Do not include any directories or other files in the ZIP file – it should contain just two files.
g) Use AES128 to encrypt the zip file. When prompted for a passphrase, use the 16 character shared secret generated earlier. The output file is called id-
h) Use RSA to encrypt the shared secret. The output file is called id-sharedsecret.gpg.
i) “Send” the two encrypted files to the course coordinator by submitting on Moodle. Also “publish” your public key by submitting on Moodle.
In your assignment for this question include the list of GPG commands you used in each step above, and with each command, a short explanation of what it does (including what the options do). If a step did not use a GPG command, then just explain what you did in that step.
Once files are submitted, they will be decrypted/verified using the reverse operations of what you were expected to do. If your files successfully decrypt/verify, and the obtained plaintext files are in the correct format, you will receive 7 marks. If the commands are listed and explained correctly in your assignment submission then you will receive an additional 3 marks. If the explanations are incorrect or do not explain options, then you will be deducted 1 to 3 marks (e.g. receive 7, 8 or 9 out of 10 in total).
If your files do NOT successfully decrypt/verify, then your list and explanation of the commands will be reviewed to determine what mistakes you made. For each mistake you will be deducted 3 marks. For example, if you make one mistake but all your other commands and explanations are correct, then you will receive 7 out of 10. Two mistakes will receive 4 out of 10, and so on. Additional marks may be deducted (up to 3) if your explanations are incorrect or do not explain options.
Question 2 Secure Web Browsing with HTTPS [16 marks]
Objective: understand basics of HTTPS protocol operation, format of digital certificates, and role of different ciphers in Internet communications.
For secure web browsing HTTPS is used. HTTPS is essentially HTTP on top of Secure Sockets Layer (SSL). However over time SSL has been upgraded to various versions, and renamed to Transport Layer Security (TLS). TLS1.0 was very similar to SSL3. TLS1.1 saw significant changes and separation from SSL3. Now TLS1.2 is recommended for use, and SSL3 and earlier no longer considered secure. Despite the differences, you will often see SSL and TLS used interchangeably. In the following we will refer to SSL, but be aware it means TLS in many cases.
How does SSL work? Your task is to find out. As a starting point, SSL uses a Record protocol to deliver different SSL messages between client and server. At the start of a SSL connection a Handshake Protocol is used. After the handshake is finished, encrypted application data is sent. After the data is sent, an encrypted Alert message may be sent to notify the close of the SSL connection. One or more HTTP exchanges may be performed in a single SSL connection.
The file a02-assignment-2-question-2-capture.pcap includes packets for several HTTPS exchanges from a single web browser to a single website.
a) [4 marks] Draw a message sequence diagram that illustrates the SSL packets belonging to the first TCP connection in the file. Refer to the instructions in assignment 1 for drawing a message sequence diagram, as well as these additional requirements:
- Only draw the SSL packets; do not draw the 3-way handshake, TCP ACKs or connection close. Hint: identify which packets belong to the first TCP connection and then filter with “ssl” in Wireshark. Depending on your Wireshark version, the protocol may show as “TLSv1.2”.
- A single TCP packet may contain one or more SSL messages (in Wireshark look inside the packet for each “Record Layer” entry to find the SSL message names). Make sure you draw each SSL message. If a TCP packet contains multiple SSL messages, then draw multiple arrows, one for each SSL message, and clearly label each with SSL message name.
- Clearly mark which packets/messages are encrypted.
b) [5 marks] Considering the first TCP connection only, answer the following questions. You must explain the reason for your answer by referring to specific parts of the capture. For example, “The answer is X as field Y in packet number Z shows that …”.
i. What is the domain of the website that the web browser visited? ii. What symmetric key cipher was used for encrypting the data? iii. What public key cipher was used for exchanging a secret? iv. What cipher and what hash algorithm are used in signing the web servers certificate?
v. How many HTTP requests do you think were exchanged in the first SSL connection? Why?
c) [3 marks] The user of the web browser typed in a URL containing some domain (answer in question (b) i.). Explain how the web browser knows it is communicating with the server of that domain (and it is not a server pretending to be for that domain). Refer to the specific messages/fields in the capture and the names of the organizations/entities.
d) [2 marks] If you were using your browser to visit the same webpages as in the capture (assuming it is a real website and you have access to it), do you think your web browser would present any warnings or errors? Explain your answer.
e) [2 marks] In the second and third TCP connections in the capture, the web browser is continuing to access webpages on the same website, but notice the SSL connection handshake has fewer SSL messages than the first TCP/SSL connection. Explain the tradeoffs of doing this (i.e. the advantage and disadvantage of the shortened subsequent handshakes) and how it is achieved (refer to fields in the captured packets).
a) The diagram must have all packets clearly labelled to obtain full marks. Missed messages, incorrect messages or unclear diagram will result in loss of marks.
b) 1 mark for each sub-question that has correct answer and reasoning with reference to captured packets.
c) Full marks if the method is clearly described with references to fields and messages in the capture. Minor misunderstandings will receive 2 marks. Poor description and/or incorrect method will receive 0 or 1 mark.
d) Description and explanation must demonstrate good understanding of issue to receive full marks.
e) Full marks if at least one advantage, at least one disadvantage, and explanation of how the shortened handshake is achieved is correct.
Question 3 Securing a Small Network [9 marks]
Objective: be aware of security features available in WiFi networks, how to deal with threats, as well as password management.
Scenario: After graduation, you and 10 of your classmates have formed a startup to commercialise an idea based on your expertise gained from your degree. You have rented a large house where everyone will work together, trying to rapidly turn the idea into a proof-ofconcept and eventually marketable product. You are confident in your idea and plan, and expect if you can quickly get to market, your product will be worth millions of dollars, and may result in a buyout from the likes of Google, Facebook, etc.
You expect to have 10 to 15 others work with you, either temporarily or full-time, over the next few months. The house you are using as an office will also have regular visitors: friends and family, advisors, potential clients and funders, … .
Your network contains several servers and desktops, but primarily everyone works with their own laptop, tablet and phone (they are personal devices of many different types and using different operating systems), and use cloud computing for many non-critical services (email, messaging, non-confidential file storage). The key Intellectual Property is in the form of files (e.g. designs, code, graphics) and is stored on internal servers. The house has two Internet connections: NBN as well as an ADSL2 line. Although there is a wired Ethernet network connecting the desktops and servers, most users will use WiFi.
Despite your big plans, you have little income, and cannot afford people dedicated to network administration. Therefore you have been assigned the initial task of setting up the WiFi network, as well as producing a set of recommendations for securing the network. You already have 6 consumer-grade WiFi routers (e.g. TP-Link Archer C series) installed across the house. They provide coverage for most of the area, but there are some dead-zones outside and in some rooms. You don’t have the budget or time to deploy dedicated authentication servers: you want to setup the WiFi routers, and then spend little or no time administering them over the coming months.
Consider the security of the WiFi network. You want to set it up so startup members can use the network, but also provide access to visitors and temporary workers. Although you are a small, new startup, your Intellectual Property is potentially very valuable, so different attacks on your network are likely.
a) [3 marks] Explain what technologies/settings you will use in securing the WiFi network. Refer to specific technologies/settings and explain why you would use them. For example, “On every WiFi router enable feature X. The reason for doing this is …”. As an example of the features available on WiFi routers, see the emulation website for TP-Link devices: http://www.tp-link.com/en/emulators.html
Despite the members of the startup having little time to worry about network security, they all realise that with the value of their Intellectual Property, network security is important. Therefore they will listen to and follow any recommendations you make in using the internal network.
b) [3 marks] Provide a list of recommendations for the startup members in using the internal network. The recommendations are things the users should or should not do to ensure the internal network is secure. For each recommendation give a concise description, explain the reason for the recommendation, and explain any potential disadvantages or weaknesses of following the recommendation. For example, “Recommendation 1: Never do X. The reason is because of Y. The drawback of this is that you won’t be able to do Z.” (This is just a short example; the recommendations may be longer, more detailed).
Now consider the external networks, and especially how the startup members use many different cloud services (e.g. Google Docs, Facebook, Twitter, Slack, AWS, …). Each member may have accounts on many different services, and may want to login to those accounts from their own devices (laptop, tablet and phone), as well as other devices (e.g. shared desktops, temporarily using someone else’s laptop).
c) [3 marks] Provide a list of recommendations for the startup members in managing (including creating) their passwords and authentication information. For each recommendation give a concise description, explain the reason for the recommendation, and explain any potential disadvantages or weaknesses of following the recommendation.
For sub-questions a), b) and c) marks will be allocated based on the completeness, accuracy and clarity of your answer.
• An answer is considered complete if you have listed the main possible answers (technologies, settings, recommendations). You do not have to list all possible answers to be considered complete, but should have most of the relevant answers. There is not fixed number of technologies, settings or recommendations to be considered complete.
• An answer is considered accurate if it is correct and/or appropriate. The explanation/reasoning you provide in your answer is an important part to convincing the marker it is correct/appropriate.
• An answer is considered clear if it can be easily read and understood by a marker with similar knowledge to other good students. The explanations are detailed and use terminology appropriate for the course.
Overall, the answers must demonstrate a good understanding of the important issues that arise from the question.
Question 4 Intrusion Detection with Snort [9 marks]
Objective: gain experience with using Snort and with identifying/analysing packet traces
You are the administrator for a network that has users exchanging files using various approved server applications (HTTP and SSH). You have discovered that image editing software used in the organisation has a bug such that JPEG image files may trigger malicious behaviour when opened. As one method to minimise the impact of the bug, you have configured the servers to monitor any JPEG files transferred. However you believe some users are exchanging images using other, unapproved, applications. Therefore your task is to identify in real-time which and when users are exchanging JPEG files using unapproved applications. You will use Snort to alert you of such exchanges.
Your task: write Snort rules that alert you of the start of an exchange of a JPEG file that does not involve HTTP or SSH. The rules should be clearly commented. The file a02-assignment-
2-question-4-capture.pcap is a trace of the packets exchanged in the network. Use it as an input to Snort to complete this task.
Requirements and Hints:
• The computers and ports of the approved HTTP and SSH servers may vary. Therefore, as they may change over time, you CANNOT use IP addresses or port numbers to alert you to an unapproved exchange.
• Other file formats exchanged using unapproved applications (non-HTTP, non-SSH) are not of interest to you. You only want to be alerted about JPEG files.
• The file a02-assignment-2-question-4-capture.pcap was obtained on a nonstandard system that resulted in some erroneous packet checksums. Therefore you MUST use the “-k none” option with Snort to disable all checksum checks.
• Print the following message when an unapproved JPEG exchange is initiated:
Exchange of JPEG file using unapproved application • As a hint, there are 5 unapproved JPEG exchanges.
Answer the following sub-questions:
a) [5 marks] Submit your Snort rules as a single file called id-snort.conf (replace id with your student ID). Make sure the rules are clearly explained via the comments in the file. Your file will be tested with the following Snort command:
snort –k none –c id-snort.conf –r a02-assignment-2-question-4-capture.pcap The alert file produced should contain 5 messages, and the log file produced should contained 5 packets.
b) [2 marks] Explain one method that a malicious user could use to avoid detection by your rules.
c) [2 marks] For the 5 alerts, find the actual JPEG images that were exchanged. Hint: you don’t have to use Snort to get this answer. You may use Wireshark or other software, however the answer must come only from the capture file provided. For your answer, include the 5 images in your assignment report (do NOT submit the JPEG files on Moodle; just embed them in your report) and explain how you obtained them.
a) To obtain 5 marks your Snort rules most return the correct 5 packets using correct conditions (e.g. not using IP addresses, but using conditions that would work for other traces) and have comments that explain the rules. No or poor comments, but correct rules, will result in a score of 2 to 4 marks. Incorrect rules (using the wrong conditions, not matching the correct packets) will result in a score of 0 to 3.
b) The method must be realistic within the context of the scenario and well explained to obtain 2 marks.
c) If all 5 images are included in the report and the method is appropriate you will obtain 2 marks. Including the images with no or poor explanation will result in 0 or 1 mark (depending on part a) answer).
Question 5 Firewall Rules [6 marks] Objective: understand firewall rules and the importance of consistency and ordering.
Consider a firewall configured with the following rules:
Rule No. Transport
1 UDP 0.0.0.0/0 any 220.127.116.11 53 allow
2 TCP 18.104.22.168/24 any 22.214.171.124 22 allow
3 TCP 126.96.36.199 4500 188.8.131.52 22 deny
4 TCP 127.0.0.1 443 184.108.40.206 6000 allow
5 TCP 0.0.0.0/0 any 220.127.116.11 6000 deny
6 UDP 0.0.0.0/0 any 18.104.22.168 32768 deny
7 TCP 0.0.0.0/0 any 22.214.171.124 32769 deny
8 TCP 0.0.0.0/0 any 126.96.36.199 32768 deny
9 TCP 0.0.0.0/0 any 188.8.131.52 80 allow
10 UDP 184.108.40.206 1025 0.0.0.0/0 65535 allow
11 UDP 220.127.116.11 1025 0.0.0.0/0 65535 allow
12 UDP 18.104.22.168 1025 0.0.0.0/0 65535 allow
13 any 0.0.0.0/0 any 0.0.0.0/0 any allow
14 TCP 0.0.0.0/0 any 0.0.0.0/0 any deny
15 UDP 0.0.0.0/0 any 0.0.0.0/0 any deny
16 TCP 0.0.0.0/0 any 22.214.171.124 6000:6010 deny
17 TCP 0.0.0.0/0 any 126.96.36.199 0:1024 deny
18 any 0.0.0.0/0 any 188.8.131.52 any deny
a) [3 marks] Describe the meaning of a rule conflict. Identify all conflicting rules in the above table.
b) [3 marks] Identify any redundancies in the table, and for each, explain which rule would be applied if using each of the following 3 matching strategies: first, best, last. For example, if you identify a redundancy, then state which rule would be applied if first matching was used, then state which rule would be applied if best matching was used, and then for last matching. Repeat for other redundancies.
Both sub-questions require you to identify all possible correct answers (i.e. all conflicts, all redundancies), and in b) give appropriate explanations to obtain full marks. Missing correct answers and/or poor explanations will see marks deducted.