Operations, Certificates, Access Control, And Firewall Rules Are Essential For Network Security. (70 Characters)

Certificates

Question 1. Cryptographic Operations with OpenSSL [8 marks] Your task is to use OpenSSL to perform a set of cryptographic operations. When performing cryptographic operations you must be very careful, as a small mistake (such as a typo) may mean the result is an insecure system. Read the instructions carefully, understand the examples, and where possible, test your approach (e.g. if you encrypt a file, test it by decrypting it and comparing the original to the decrypted). It is recommended you use virtnet to perform the operations.

Perform the following steps:

(a) For all the following steps, record the command(s) you used in a file called commands.bash. This file should be a Bash shell script, containing only commands that can be executed and optionally comments (starting with # character).

(b) Generate your own RSA 2048-bit key pair. Use the public exponent of 65537. Save your key pair as keypair.pem.

(c) Extract your public key and save it as pubkey.pem.

(d) Create a text file called message.txt and include your student ID and full name inside the file. This file is referred to as the message or plaintext.

(e) Sign your message file using SHA256, saving the signature as signature.bin.

(f) Generate a 128 bit random value using OpenSSL. This value will be used as a secret key. Store the key as a 32 hex digit string in a file key.txt.

(g) Encrypt your message file using AES-128-CBC and the key generated in step (f). Use an IV of all 0’s (that is, 32 hex 0’s). Save the ciphertext as ciphertext.bin. (h) Encrypt your key.txt file using RSA so that only the Unit Coordinator can view the contents. Save the encrypted key as secretkey.bin. Multiple files are output from the above steps. You must all the files listed above.

The file names must be exactly as listed above. Use lowercase for all files and double-check the extensions (be careful that Windows doesn’t change the extension). Examples of the OpenSSL operations needed to complete this task are on Moodle. Marking Scheme Once files are submitted, they will be decrypted/verified using the reverse operations of what you were expected to do.

• If your files successfully decrypt/verify, and the commands (commands.bash) submitted are correct, then you will receive 8 marks. • If your files successfully decrypt/verify, but the commands contain errors, then you will receive between 5 and 7 marks, depending on the severity of the errors (e.g. small typo vs wrong command).

Access Control

• If your files do NOT successfully decrypt/verify, then your commands will be reviewed to determine what mistakes you made. You will receive between 0 and 6 marks, depending on the severity of the errors. Up to 5 marks may be deducted for incorrect submissions (e.g. not all files submitted, additional files submitted, wrong files submitted, wrong filenames).

COIT20262 Assignment 2 Term 1, 2018 Advanced Network Security Page 3 of 9 Question 2. HTTPS and Certificates [15 marks] For this question you must use virtnet (as used in the workshops) to study HTTPS and certificates. This assumes you have already setup and are familiar with virtnet. See Moodle and workshop instructions for information on setting up and using virtnet, deploying the website, and testing the website.

Your task is to:

1. Create topology 5 in virtnet

2. Deploy the MyUni demo website on the nodes

3. Setup the webserver to support HTTPS, including obtaining a certificate certmyuni-YourID.pem.

4. Capture traffic from the web browser on node1 to the web server that includes a HTTPS session. Save the file as https.pcap.

5. Test and analyse the HTTPS connection. Step 3, involves obtaining a certificate from a Certificate Authority. Another student from COIT20262 must act as the Certificate Authority for you, and similarly, you can act as the Certificate Authority for them (that is, do this phase in pairs). You must do that in the following way:

1. Use your RSA key pair from Question 1 to generate a certificate signing request, saved as cert-myuni-YourID.csr (where YourID is replaced with your student ID). 2. Send the certificate signing request to another student in COIT20262. 3. That other student will act as the Certificate Authority and generate your certificate as cert-myuni-YourID.pem. They will send your certificate, as well as the CA’s certificate as cert-ca-TheirID.pem (where TheirID is the student ID of your partner), back to you. In the same way that your partner will act as your CA, you will act as your partners CA. You will need to setup a CA, using your RSA key pair from Question 1 to generate a self-signed certificate cert-ca-YourID.pem, and then you receive their certificate signing request that you sign.

Answer the following sub-questions based on above test and analysis.

(a) Submit the following files on Moodle. Each will be analysed to ensure they include correct information (e.g. values specific to you).

Firewall Rules

• cert-myuni-YourID.csr (your certificate signing request) [0.5 mark]

• cert-myuni-YourID.pem (your certificate) [1 mark]

• cert-ca-TheirID.pem (partner’s CA certificate) [1 mark]

• default-ssl.conf (a copy of the Apache configuration file from your web server) [0.5 mark]

• https.pcap (the capture of HTTPS session) [2 marks] COIT20262 Assignment 2 Term 1, 2018 Advanced Network Security Page 4 of 9 (b) Draw a message sequence diagram that illustrates the TLS/SSL packets belonging to the first HTTPS session in the file.

Refer to the instructions in assignment 1 for drawing a message sequence diagram, as well as these additional requirements:

• Only draw the TLS/SSL packets; do not draw the 3-way handshake, TCP ACKs or connection close. Hint: identify which packets belong to the first TCP connection and then filter with “ssl” in Wireshark. Depending on your Wireshark version, the protocol may show as “TLSv1.2”.

• A single TCP packet may contain one or more SSL messages (in Wireshark look inside the packet for each “Record Layer” entry to find the SSL message names). Make sure you draw each SSL message. If a TCP packet contains multiple SSL messages, then draw multiple arrows, one for each SSL message, and clearly label each with SSL message name.

• Clearly mark which packets/messages are encrypted. [3 marks] (c) Based on your certificate and the capture, write answers to the following questions in the table. When giving algorithms, you may use the abbreviation but must accurately identify the variant. For example, AES128 is different from AES256, and SHA256 is different from SHA512. [4 marks, 0.5 mark each]

How many bytes is the hash value in the certificate signature? What hash algorithm is used to generate the certificate signature? What encryption algorithm is used to generate the certificate signature? How many bytes is the public key modulus in the certificate? In the TLS cipher suite used between client and server, what algorithm is used for: - Encrypting session data? - Hashing for the MAC? - Key exchange? How many bytes of random data are sent from the client to server at the start of the handshake? (d) In practice, some Certificate Authorities use self-signed certificates, while others have their certificate signed by another CA. Explain why self-signed certificates are needed by CAs, as well as the benefits of one CA signing another CA’s certificate. [2 marks] (e) In practice, Certificate Authorities must keep their private keys very secure, usually storing them offline in special hardware devices. Explain an attack a malicious user could be perform if they could compromise the CA private key. Use your MyUni website as an example. [1 mark]

Secure Organization Network

COIT20262 Assignment 2 Term 1, 2018 Advanced Network Security Page 5 of 9 Question 3. Access Control [10 marks] For this question you must use virtnet (as used in the workshops) to study Linux access control and passwords. This assumes you have already setup and are familiar with virtnet. See Moodle and workshop instructions for information on setting up and using virtnet, and using Linux access control commands. Your task is to:

1. Create topology 1 in virtnet (or any topology that has a node; you could use nodes from previous questions).

2. Create five new users named student1, student2, teacher3, teacher4 and other5. Set the passwords to be different except for two users (that is, two users have the same password, the other users have different passwords), however do not use passwords that you use on other systems.

3. View the password information stored for the new users in /etc/passwd and /etc/shadow. Understand the information stored.

4. Create two new groups named student and teacher. Allocate the users to groups as follows: o User 1, student1: primary group student o User 2,

student2: primary group student o User 3, teacher3: primary group teacher o User 4, teacher4: primary group teacher o User 5, other5: primary group is their own (i.e. not in student or teacher). Even though there are only five users created, in the following you should assume there may be more users (e.g. more users in the student group, more users in the teacher group, and more users not in either of the groups). 5. Create the following files and directories for each user. Unless specified, the files/directories can be any name and can contain any content: o Both students (User 1 and 2) have directories personal and shared in their home directory. All teachers have read-only access to each students shared directory (and files within). Only the user can access their personal directory. o The first teacher (User 3) has directory security, which has two subdirectories: lectures and exam. lectures is read-only by all teachers. exam is only accessible by the user. o The second teacher (User 4) has directories network and personal. network is editable by everyone, while personal is only accessible by the user. o Each directory mentioned above should have at least 1 file in it (the name and contents of the file doesn't matter).

o Every user (including User 5) has a file in their home directory called schedule.txt. This file is readable and writable by everyone. 6. In addition to the access control rules mentioned above, assume: o Every user has read, write permissions on their own files, and full permissions on their own directories. o No other user can access the files/directories of other users. o If permissions are not covered by the above, then assume the defaults. COIT20262 Assignment 2 Term 1, 2018 Advanced Network Security Page 6 of 9 o If there are conflicts in the above, then assume the most restrictive permission. o Use only the basic Linux permissions (see example commands below). Do NOT use advanced permissions such as with setfacl or getfacl. 7. Test that the access control works by logging in as each user and checking they can(not) access the specified files/directories.

D-Link Wireless Access Point

Answer the following questions after completing the task.

(a) Submit the following files on Moodle: a. /etc/passwd named as passwd.txt when you submit [0.5 mark]

b. /etc/shadow as shadow.txt [0.5 mark]

c. /etc/group as group.txt [0.5 mark]

d. The output of the following command as files.txt: sudo sh -c ‘ls -lR /home > /home/network/files.txt’ The listing in files.txt will be used to determine if you have set the correct permissions. [4.5 marks] (b) Explain where and how password information is stored in Linux. You should mention the files, formats of storing passwords (e.g. what is stored, how is the information created) and any specific algorithms used. [1 mark] (c) In the above task on Linux you used a form of discretionary access control. Two other forms of access control are role-based access control (RBAC) and mandatory access control (MAC).

Give a description of both RBAC and MAC, and using the student/teacher scenario, give an example of each that demonstrates the key characteristics of these forms of access control. [3 marks] COIT20262 Assignment 2 Term 1, 2018 Advanced Network Security Page 7 of 9 Question 4. Firewalls [9 marks] An educational institute has a single router, referred to as the gateway router, connecting its internal network to the Internet. The institute has the public address range 138.53.0.0/16 and the gateway router has address 138.53.178.1 on its external interface (referred to as interface ifext). The internal network consists of four subnets:

• A DMZ, which is attached to interface ifdmz of the gateway router and uses address range 138.53.179.0/24.

• A small network, referred to as shared, with interface ifint of the gateway router connected to three other routers, referred to as staff_router, student_router, and research_router. This network has no hosts attached (only four routers) and uses network address 10.4.0.0/16.

• A staff subnet, which is for use by staff members only, that is attached to the staff_router router and uses network address 10.4.1.0/24.

• A student subnet, which is for use by students only, that is attached to the student_router router and uses network address 10.4.2.0/24.

• A research subnet, which is for use by research staff, that is attached to the research_router router and uses network address 10.4.3.0/24. In summary, there are four routers in the network: the gateway router, and routers for each of the staff, student and research subnets. There are five subnets: DMZ, shared, staff, student, and research.

Security Features for D-Link

There are two servers in the DMZ that all can accept requests from the Internet: a web server supporting HTTP and HTTPS, and a SMTP email server. Members of the staff, student and research subnets can access the web server; members of the staff subnet only can access the email server but using IMAP. The gateway router also runs a stateful packet filtering firewall and performs port address translation. In addition to the DMZ setup as described above, security requirements for the educational institute are:

• External Internet users cannot access any internal computers (except in DMZ and as stated in other requirements).

• Staff, students and researchers can access websites in the Internet.

• The researchers (on the research subnet) run a server for sharing data with selected research partners external to the educational institute. That server provides SSH access and a specialised file transfer protocol using TCP and port 6789 to the partners. The server has internal address 10.4.3.31 and NAT is setup on the gateway router to map the public address 138.53.179.44 to the internal address. Currently there are two partner organisations that can access the server, and they have network addresses: 31.13.75.0/24 and 104.55.9.0/24.

• The professor that leads the research staff also wants access to the data sharing server while they are at home. At home that professor uses a commercial ISP that dynamically allocates IP addresses in the range 23.63.0.0/16. Considering the above information, answer the following questions: COIT20262 Assignment 2 Term 1, 2018 Advanced Network Security Page 8 of 9 (a) Draw a diagram illustrating the network.

Although there may be many computers in the staff, student and research subnets, for simplicity you only have to draw three computers in the staff subnet, three computers in the student subnet and three computers in the research subnet (one of those in the research subnet should be the data sharing server). Label all computers and router interfaces with IP addresses. [3 marks] (b) Specify the firewall rules using the format as in the table below. You may add/remove rows as needed. After the table, add an explanation of the rules (why you design the firewall rules the way you did). [5 marks] Rule No. Transport Source IP Source Port Dest. IP Dest. Port Action 1 2 3 4 … (c) Consider the rule(s) that allows the professor to access from home. Discuss the limitations, and suggest possible solutions. [1 mark]

COIT20262 Assignment 2 Term 1, 2018 Advanced Network Security Page 9 of 9 Question 5. Wireless Network Security [8 marks] A small company with about 50 employees is moving into a new building. You are being consulted to provide advice and recommendations on deploying a secure wireless network in the building. You have been informed by the IT admin within the company that they require 15 wireless access points to cover the entire area, and will purchase all access points of the same model/brand. They will select from TP-Link, D-Link or Netgear. The IT staff in the company are capable of deploying the network, but have very little knowledge of how to secure it. A good guide is provided by the Australian Government, but the IT admins do not understand it.

(a) Write five (5) recommendations for the IT admin in securing the wireless network. Each recommendation must have two parts: what is recommended, and why it is recommended. The what part should be specific, referring to recommended protocols, algorithms or technologies. The why part should provide a short (1-3 sentences) explanation of what security problem is solved by following the recommendation. [5 marks] (b) Select one of the wireless access point vendors (TP-Link, D-Link or Netgear) and then select an appropriate wireless access point to recommend to the IT admin. For the selected access point, give a table that summarises the key technical specification. [1 mark] (c) For the selected access point above, list four (4) important security features. For each feature, give the recommended setting and explain why you gave that recommendation. [2 marks]

Certificates

1.Cryptographic Operations with Open SSL

It performs the following operations (Xiao, Shen & Du, 2011),

• Extract user public key
• Generate the 128 bit random value
• Create new message or plain text
• Sign the created message file.
• Record the commands
• Encrypt the message file
• Also, encrypt the key text file using RAS algorithms.
• Generate the RSA key pair

These file are attached in below. 

2.HTTPS and Certificates

It performs the various operations like,

• Create topology 4 in virtual network.
• Setup the web server to support the HTTPS
• Capture the traffic from web server
• Analyze and test HTTPS connection.
• Deploy the website

The setup web server is used to obtaining the certificate authority and it involves the following activities (Quirolgico, Hu & Karygiannis, 2011).

• Generate the Signing Request
• Send the certificate signing request.

a)

The setup web server files are attached here.

1. b) Message Sequence Diagram

 

How many bytes is the hash value in the certificate signature?	less than 256 bytes
What hash algorithm is used to generate the certificate signature?	RSA Algorithm
What encryption algorithm is used to generate the certificate signature?	Symmetric-key encryption algorithms
How many bytes is the public key modulus in the certificate?	270 bytes
In the TLS cipher suite used between client and server, what algorithm is used for:
- Encrypting session data?	Yes
- Hashing for the MAC?	Yes
-Key exchange?	Yes
How many bytes of random data are sent from the client to server at the start of the handshake?	256  bytes

The certificate authorities are using the self signed certificates and it has two major drawbacks like visitors connection could be hijacked and it cannot be revoked like a trusted certificate can. So, it needs another certificate authority’s certificate.

The certificate authorities should be providing the security for private keys by storing then offline in special hardware devices. But, attacker is use the certificate authority private key. Because, it does not verifies the identity of the certificate applicant. So, malicious users are using the private key.

1.Access Control

Here also we will use virtual network to study the Linux access control and passwords. It performs the various operations such as (Pale, 2012),

• Create the five new users
• Creates the files and directories
• Finally, test the access control.
• Create two new groups
• Provide the access control and rules
• Also create the password
• Create the new topology

a)

The files are attached here.

b)

Generally, the Linux distribution is stored the user information in /etc/passwd and it contains the user login, optional comment field, unique numerical user id, encrypted password information and numerical group id. But the encrypted password is not stored in /etc/passwd. It is stored in /etc/shadow file. The encrypted password also stored in /etc/passwd. It is readable by the super user only (Sawant, Pelz, Hobson & Leemans, 2017).

c)

The role based access control is used to takes more of a real world approach to structuring the access control. It based on a user job functions within the organization to which the computer system belongs. It assigns the permissions to particular roles in an organization.

The mandatory based access control is the strictest of all levels of control. It enforced the MAC environment access to all the resource objects and it controlled by setting the defined by the system administrator.

2.Firewalls

a)

Network Diagram

 The above network diagram displays the three subnets such as DMZ, Student and Staff. It using the three router and these are referred as DMZ, Student and staff router. The routers are connected to the switches. The Student subnet has the one router, switch and three PC. The router IP address is 10.4.20.0. The DMZ subnet IP address is 10.4.0.0. The Staff subnet IP address is 10.4.10.0. These are interconnecting with each other.  b)

Firewall rules

Rule no.	Transport	Source IP	Source Port	Destination IP	Destination Port	Action
1	TCP	10.4.10.10	80	10.4.20.10	80	Allow
2	TCP	10.4.10.11	80	10.4.20.11	80	Allow
3	TCP	10.4.10.12	80	10.4.20.12	80	Allow

The Above table displays the firewall rules. It is used to block the TCP network traffic between the client and server that is student and staff subnet. The First firewall rule Source IP address is 10.4.10.10 and destination IP address as 10.4.20.10 that means. The Firewall allows the action to block the TCP network traffic from the source IP address to destination address. Similarly firewall allows the action between the staff and student subnet. 

c)

In IP tables, the default rule is ACCEPT everything. But, this is not secure firewall. So, set the secure firewall by using another default policies are DROP everything. It is shown below. 

1.Wireless Network Security

a)

Recommendation for secure a organization network,

• Reduce WLAN transmitter Power
• Enable WPA encryption instead of WEP
• Secure organization wireless router and access point administration interface
• Use MAC filtering for Access control
• Disable remote administration

b)

The consult recommended that to select the D - Link wireless access point because it is used to provide the network connectivity solution to small and medium sized business. It enables the user to connect the more devices to a single internet. So, it support the small company IT admin.

c)

Security Features for D - Link

• Traffic control
• Quality of services
• Web redirection
• Network access protection
• WLAN partition
• ARP spoofing prevention
• High performance connectivity
• MAC address filtering

References

Pale, P. (2012). Nmap 6. Birmingham: Packt Pub.

Quirolgico, S., Hu, V., & Karygiannis, T. (2011). Access control for SAR systems. Gaithersburg, MD: U.S. Dept. of Commerce, National Institute of Standards and Technology.

Sawant, U., Pelz, O., Hobson, J., & Leemans, W. (2017). Linux. Birmingham: Packt Publishing.

Xiao, Y., Shen, X., & Du, D. (2011). Wireless network security. New York: Springer.