How USB tokens can be used to allow users to login to a computer

COIT20262 Assignment 2 Questions Term 2, 2018

Advanced Network Security Page 1 of 8

COIT20262 – Advanced Network Security, Term 2, 2018 Assignment 2 Questions

Due date: 5pm Friday 5 October 2018 (Week 12) ASSESSMENT

Weighting: 45% 2 Length: N/A

Updated 6 Sep 2018 Question 3, part (c) on page 7 had a mistaken file name. It should be [StudentID]-cert.pem

Instructions Attempt all questions.

This is an individual assignment, and it is expected students answer the questions themselves. Discussion of approaches to solving questions is allowed (and encouraged), however each student should develop and write-up their own answers. See CQUniversity resources on Referencing and Plagiarism. Guidelines for this assignment include:

• Do not exchange files (reports, captures, diagrams) with other students. • Complete tasks with virtnet yourself – do not use results from another student. • Draw your own diagrams. Do not use diagrams from other sources (Internet, textbooks)

or from other students. • Write your own explanations. In some cases, students may arrive at the same numerical

answer, however their explanation of the answer should always be their own. • Do not copy text from websites or textbooks. During research you should read and

understand what others have written, and then write in your own words. • Perform the tasks using the correct values listed in the question and using the correct

file names.

File Names and Parameters Where you see [StudentID] in the text, replace it with your actual student ID. If your student ID contains a letter (e.g. “s1234567”), make sure the letter is in lowercase.

Where you see [FirstName] in the text, replace it with your actual first name. If you do not have a first name, then use your last name. Do NOT include any spaces or other non- alphabetical characters (e.g. “-“).

Marking Scheme A separate spreadsheet lists the detailed marking criteria.

COIT20262 Assignment 2 Questions Term 2, 2018

Advanced Network Security Page 2 of 8

Question 1. Authentication and Access Control Consider a scenario where you are responsible for IT security in a small company. The company is expected to have around 40 employees over the next few years. The employees are classified into the following roles:

• CEO • Executive Group (including CEO and other employees in leadership positions, e.g.

leader of the Finance team) • Finance • Software Engineering • Graphic Design • Web Development • Sales and Marketing • Human Resources • IT Administration

Some employees may take on multiple roles, e.g. an employee may be both in Software Engineering and Web Development.

The key data resources of the company are classified as:

• Web Content • Source Code (e.g. for non-web software) • Multimedia Assets (e.g. images, videos, artwork) • Trade Secrets (e.g. algorithms, formulas that give the company a significant

commercial advantage over competitors) • Financial Accounts • Personnel Records • Marketing Material • Company Policies • Meeting Records

Assume role-based access control is to be used for users in different roles to access the above listed resources. The access rights are:

• Own: can change the access rights on the resource • Read: can view the resource • Write: can create, delete and modify the resource

(a) Create a table that shows the mappings from Role to Resource. Provide a brief explanation of why you choose this particular mapping.

(b) One principle in access control is that of least privilege. Explain what the principle is, and explain an example by referring to your mapping above.

COIT20262 Assignment 2 Questions Term 2, 2018

Advanced Network Security Page 3 of 8

The company has many trade secrets, some of which are very valuable and known only by the Executive Group (e.g. it would be a significant financial loss if a competing company knew them), some are also know by Software Engineers that implement the algorithms, while other trade secrets are important but known by a wider number of employees. The CEO has asked you to consider implementing Mandatory Access Control on the trade secrets.

(c) Explain how you could apply MAC to the trade secrets, including the levels you would use and the assignment of roles to security clearance levels.

The company is planning to use only passwords as the authentication mechanism for access computing systems. There will be no token-based or biometric authentication.

(d) Write a password policy for the company. The policy must give rules for how new users are registered with the systems, as well as how existing users change their passwords (including forgotten or wrong passwords). Each rule in the policy must be classified as “must” (it is required), “should” (it is required unless there is a good reason for not applying it), or “may” (optional). Each rule be justified/explained. The policy must make a reasonable trade-off between security and convenience. For example, “All users must use a 30 character random password” is a poor policy design (too inconvenient), as is “All users must use their last name as a password” (too insecure).

(e) Assume a malicious user knew your password policy. Select and explain two different attacks that the malicious user may use try to defeat the password-based authentication. For each attack, provide details of what the malicious user would do (e.g. list of steps, example techniques or software to use).

While passwords were originally planned for the main computer systems, the company is considering using other authentication systems for high importance assets (e.g. finance, trade secrets). For these, the company is considering between:

• USB tokens • Fingerprint scanning • Voice recognition

(f) Explain how USB tokens can be used to allow users to login to a computer. Your explanation may include steps that the user must take, and any setup the IT administrator must perform in advance to allow USB tokens to work.

(g) Compare the three techniques with respect to security, convenience and cost. For security you should discuss their strengths and weaknesses against different attacks. For convenience you should consider the additional burden then place on users. For cost, you do not need to give exact prices, but should discuss what additional infrastructure is needed to deploy each system.

COIT20262 Assignment 2 Questions Term 2, 2018

Advanced Network Security Page 4 of 8

Question 2. Firewalls and iptables In this question you will use iptables and virtnet to create a firewall. You need to consider two different scenarios:

1. Firewall does not use SPI; default policy is Accept. 2. Firewall uses SPI; default policy is Drop.

Both scenarios will use topology 7 in virtnet, with nodes 1 and 2 being external, node 3 the firewall, and nodes 4 and 5 internal. Although there are only 5 machines in the topology, when creating your rules you must assume there will be more than that. For example, while there is only 1 internal subnet, there may be more than 2 internal nodes on that subnet (you don’t have to create additional nodes in virtnet; just design the rules assuming they are there).

For both scenarios you must save the iptables commands you used in a Shell script file, named [StudentID]-iptables1.sh and [StudentID]-iptables2.sh. You must also add a comment that explains each rule in the file. Comments start with a hash (#) character.

The Shell scripts may be executed during marking, therefore it is important you have the exact commands included, and no other text unless it is a comment.

Where you see [StudentPort1] replace it with the value 8 followed by the last three numbers of your student ID. For example, if your student ID is 12345678, then [StudentPort1] is replaced with:

8678

Where you see [StudentPort2], do the same as [StudentPort1], except start with 9 (instead of 8). The example would replace [StudentPort2] with:

9678

Scenario 1: No SPI

Implement a firewall that:

(a) Blocks ping into the internal subnet, as well as out from the internal subnet. (b) Blocks ping into the firewall (node3), but allows the firewall to ping out. (c) Blocks all traffic from external subnets into the firewall, except if secure shell traffic. (d) Blocks node1 from access the web server on node4. (e) Blocks node5 from secure shell to any external node. (f) Blocks all external nodes from access a server on node4 that uses port [StudentPort1].

Save all iptables commands used to implement the above rules in the file [StudentID]- iptables1.sh. Before each command, include a comment that explains why the iptables command(s) implements the required rule.

Scenario 2: With SPI

Before starting this scenario, delete (flush) all rules created in Scenario 1.

Implement a firewall that:

COIT20262 Assignment 2 Questions Term 2, 2018

Advanced Network Security Page 5 of 8

(g) Sets the default policy on all chains as Drop. (h) Enable SPI. (i) Allows all external nodes to access the web server on node4. (j) Allows all external nodes to access the secure shell server on node5. (k) Allows all internal nodes to access any external web servers. (l) Allow node1 to access a server on node5 that uses port [StudentPort2].

Save all iptables commands used to implement the above rules in the file [StudentID]- iptables2.sh (including for setting the policy and enabling SPI). Before each command, include a comment that explains why the iptables command(s) implements the required rule.

COIT20262 Assignment 2 Questions Term 2, 2018

Advanced Network Security Page 6 of 8

Question 3. HTTPS and Certificates For this question you must use virtnet (as used in the workshops) to study HTTPS and certificates. This assumes you have already setup and are familiar with virtnet. See Moodle and workshop instructions for information on setting up and using virtnet, deploying the website, and testing the website.

Your task is to setup a web server that supports HTTPS. The tasks and sub-questions are grouped into multiple phases.

Phase 1: Setup Topology

1. Create topology 7 in virtnet. 2. Deploy the MyUni demo website, with node4 being the real web server. 3. Change the domain name from www.myuni.edu to www.[StudentID].edu by editing

the /etc/hosts file on node1.

NOTE: You may use the same nodes as used in Question 2 on firewalls. However if you do, you must not use a firewall to complete this question (i.e. flush all the rules). Alternatively, you may delete the nodes from Question 2, and re-create topology 7 for this question.

Phase 2: Certificate Creation

You will need to use the files made available to you for download from Assignment 1.

1. Using [StudentID]-keypair.pem you must create a Certificate Signing Request called [StudentID]-csr.pem. The CSR must contain these field values:

• State: state of your campus • Locality: city of your campus • Organisation Name: your full name • Common Name: www.[StudentID].edu • Email address: your @cqumail address • Other field values must be selected appropriately.

Now you will change role to be a CA. A different public/private key pair has been created for your CA as [StudentID]-ca-keypair.pem. As the CA you must:

2. Setup the files/directories for a demoCA 3. Create a self-signed certificate for the CA called [StudentID]-ca-cert.pem. 4. Using the CSR from step 1 issue a certificate for www.[StudentID].edu called

[StudentID]-cert.pem.

Phase 3: HTTPs Configuration

1. Configure Apache web server on node4 to use HTTPS. Remember the domain name must be www.[StudentID].edu where [StudentID] is replace with your actual student ID.

2. Load the CA certificate into the client on node1.

COIT20262 Assignment 2 Questions Term 2, 2018

Advanced Network Security Page 7 of 8

Phase 4: Testing

1. Start capturing on node3 using tcpdump. 2. On node1, use lynx to visit https://www.[StudentID].edu/grades/ and login to view

some grades. 3. Exit lynx. 4. Stop the capturing and save the file as [StudentID]-https.pcap.

When capturing, make sure you capture a full HTTPS session, and avoiding capturing multiple sessions.

Phase 5: Analysis

(a) Submit the CSR [StudentID]-csr.pem. (b) Submit the CA self-signed certificate [StudentID]-ca-cert.pem. (c) [Updated 6 Sep 2018] Submit the issued certificate [StudentID]-ca-cert.pem

[StudentID]-cert.pem (d) Submit the packet capture [StudentID]-https.pcap. (e) When the web browser receives a certificate in a HTTPS exchange, what does the

browser do to verify the certificate, and what information from the certificate is used in subsequent steps of the exchange? Explain your answers in detailed by referring to algorithms and cryptographic techniques used.

(f) In this question your CA used a self-signed certificate. Explain why it is not good practice for the web server (www.[StudentID].edu) to also use a self-signed certificate.

(g) If an attacker obtained [StudentID]-ca-keypair.pem, explain an attack that they could perform on users visiting https://www.[StudentID].edu/grades/. You must give details of the attack, such as the steps the attacker would perform and how the users/data would be compromised. Giving just an attack name is insufficient.

COIT20262 Assignment 2 Questions Term 2, 2018

Advanced Network Security Page 8 of 8

Question 4. WiFi Security (a) Explain how a MAC address filter for a WiFi access point works. Discuss the role of

MAC address filters in security, and issues or limitations of MAC address filters. (b) WPA is recommended for encryption and authentication in WiFi. WPA can use AES

for encryption, which uses key lengths of 128 bits or 256 bits. However when users setup WPA/AES in their home WiFi access point, then often select a passphrase. Explain the difference between the passphrase and 128 bit key and discuss the advantages and disadvantages of using a passphrase (compared to a 128 bit or longer key). Also discuss the potential for successful brute force attacks on passphrases and 128 bit keys.

(c) While WPA is considered secure when configured correctly, it is recommended that WiFi users use a VPN when connecting via public WiFi hot spots. Explain why a VPN is recommended in these cases, what is required to be setup in advance to use a VPN, and what security the VPN provides.