COIT20262 Assignment 2 Term 1, 2018
COIT20262 - Advanced Network Security, Term 1, 2018
Due date: 5pm Friday 1 June 2018 (Week 12) ASSESSMENT
Length: Stictly According to the question.
Attempt all questions. Submit the following on Moodle:
• Answers: A Microsoft Word document containing answers to the questions.
This is an individual assignment, and it is expected students answer the questions themselves. Discussion of approaches to solving questions is allowed (and encouraged), however each student should develop and write-up their own answers. See CQUniversity resources on Referencing and Plagiarism. Guidelines for this assignment include:
• Do not exchange files (reports, captures, diagrams) with other students.
• Complete tasks with virtnet yourself – do not use results from another student.
• Draw your own diagrams. Do not use diagrams from other sources (Internet, textbooks) or from other students.
• Write your own explanations. In some cases, students may arrive at the same numerical answer, however their explanation of the answer should always be their own.
• Do not copy text from websites or textbooks. During research you should read and understand what others have written, and then write in your own words.
Each sub-question is allocated marks in [square brackets].
• Questions which require a specific answer will be marked on correctness.
• Questions which require explanations will be marked on correctness, depth and clarity of the answer. To receive full marks, the explanation must be correct, must include significant depth to demonstrate understanding of the topic (but does not include irrelevant information), and must be clear to the intended audience. Unless otherwise stated, assume the audience has a background similar to Master of IT students that have successfully completed 1st year of study.
• Questions which require diagrams will be marked on the correctness and clarity of the diagram.
• Submitted files will be marked on correctness of the information included.
Question 1. Firewalls [9 marks]
An educational institute has a single router, referred to as the gateway router, connecting its internal network to the Internet. The institute has the public address range 220.127.116.11/16 and the gateway router has address 18.104.22.168 on its external interface (referred to as interface ifext). The internal network consists of four subnets:
• A DMZ, which is attached to interface ifdmz of the gateway router and uses address range 22.214.171.124/24.
• A small network, referred to as shared, with interface ifint of the gateway router connected to three other routers, referred to as staff_router, student_router, and research_router. This network has no hosts attached (only four routers) and uses network address 10.4.0.0/16.
• A staff subnet, which is for use by staff members only, that is attached to the staff_router router and uses network address 10.4.1.0/24.
• A student subnet, which is for use by students only, that is attached to the student_router router and uses network address 10.4.2.0/24.
• A research subnet, which is for use by research staff, that is attached to the research_router router and uses network address 10.4.3.0/24.
In summary, there are four routers in the network: the gateway router, and routers for each of the staff, student and research subnets. There are five subnets: DMZ, shared, staff, student, and research.
There are two servers in the DMZ that all can accept requests from the Internet: a web server supporting HTTP and HTTPS, and a SMTP email server. Members of the staff, student and research subnets can access the web server; members of the staff subnet only can access the email server but using IMAP.
The gateway router also runs a stateful packet filtering firewall and performs port address translation. In addition to the DMZ setup as described above, security requirements for the educational institute are:
• External Internet users cannot access any internal computers (except in DMZ and as stated in other requirements).
• Staff, students and researchers can access websites in the Internet.
• The researchers (on the research subnet) run a server for sharing data with selected research partners external to the educational institute. That server provides SSH access and a specialised file transfer protocol using TCP and port 6789 to the partners. The server has internal address 10.4.3.31 and NAT is setup on the gateway router to map the public address 126.96.36.199 to the internal address. Currently there are two partner organisations that can access the server, and they have network addresses: 188.8.131.52/24 and 184.108.40.206/24.
• The professor that leads the research staff also wants access to the data sharing server while they are at home. At home that professor uses a commercial ISP that dynamically allocates IP addresses in the range 220.127.116.11/16.
Considering the above information, answer the following questions:
Advanced Network Security Page 7 of 9
COIT20262 Assignment 2 Term 1, 2018
(a) Draw a diagram illustrating the network. Although there may be many computers in the staff, student and research subnets, for simplicity you only have to draw three computers in the staff subnet, three computers in the student subnet and three computers in the research subnet (one of those in the research subnet should be the data sharing server). Label all computers and router interfaces with IP addresses. [3 marks]
(b) Specify the firewall rules using the format as in the table below. You may add/remove rows as needed. After the table, add an explanation of the rules (why you design the firewall rules the way you did). [5 marks]
Rule Transport Source Source Dest. Dest. Action
No. IP Port IP Port
(c) Consider the rule(s) that allows the professor to access from home. Discuss the limitations, and suggest possible solutions. [1 mark]
Advanced Network Security Page 8 of 9
COIT20262 Assignment 2 Term 1, 2018
Question 2. Wireless Network Security [8 marks]
A small company with about 50 employees is moving into a new building. You are being consulted to provide advice and recommendations on deploying a secure wireless network in the building. You have been informed by the IT admin within the company that they require 15 wireless access points to cover the entire area, and will purchase all access points of the same model/brand. They will select from TP- Link, D- Link or Netgear. The IT staff in the company are capable of deploying the network, but have very little knowledge of how to secure it. A good guide is provided by the Australian Government, but the IT admins do not understand it.
(a) Write five (5) recommendations for the IT admin in securing the wireless network. Each recommendation must have two parts: what is recommended, and why it is recommended. The what part should be specific, referring to recommended protocols, algorithms or technologies. The why part should provide a short (1-3 sentences) explanation of what security problem is solved by following the recommendation. [5 marks]
(b) Select one of the wireless access point vendors (TP-Link, D-Link or Netgear) and then select an appropriate wireless access point to recommend to the IT admin. For the selected access point, give a table that summarises the key technical specification. [1 mark]
(c) For the selected access point above, list four (4) important security features. For each feature, give the recommended setting and explain why you gave that recommendation. [2 marks]
Advanced Network Security Page 9 of 9