PLYMOUTH UNIVERSITY
MODULE CODE:
CNET233SL
TITLE OF PAPER:
Network Security
TIME ALLOWED
Three Hours
DATE
TIME
FACULTY
SCIENCE AND TECHNOLOGY
SCHOOL
COMPUTING
ACADEMIC YEAR
2014/15
STAGE
Two
INSTRUCTIONS TO CANDIDATES:
Answer ALL questions in the paper. This paper carries Total 100 mark.
Candidates are not permitted to look at the examination paper until instructed to do so.
Release to library?
Yes
Summer Exam
Page 1 of 19
Answer four questions out of the five question using the separate answer sheet provided
Q.1
Intruders often attack and interrupt the service availability of Web Servers to prevent E-commerce
sites from online trading.
a) Discuss the various types of security threats have on an E-commerce web site and the
security approaches available to mitigate the threats.
[8 Marks]
b) Explain the impact of Denial of Service (DoS) attack and discuss the motivations behind
Denial of Service attacks.
[8 Marks]
c) Describe in detailed SYN Flood, the original DoS attack that an intruder could use to bring
down a Web server and denies services. Use a diagram to illustrate your answer.
[6 Marks]
d) Describe the defenses that could be applied to mitigate SYN Flood
[3 Marks]
[Total 25 Marks]
Q.2
a) Discuss the role of a firewall within a large Internet based organization. Include in your
answer why more than one firewall would be needed and where, typically, you would
expect them to be deployed.
[8 Marks]
b) Explain in detailed Stateful Packet Inspection Firewall in contrast to the Stateless Firewall.
[6 Marks]
c) The externally accessible Web, FTP and SMTP servers are generally not placed inside
LAN. Describe the De Militarized Zone (DMZ), which is the recommended network
location to place these servers and justify their placement
[6 Marks]
d) Discuss the limitations of Firewall in protecting networks and systems from potential
security threats and attacks. You need to explain the things that Firewalls can’t do
[5 Marks]
[Total 25 Marks]
Page 2 of 19
Q.3
Intrusion Detection Systems (IDS) are designed to warn network administrators when networks
are under attack, or if there has been an attempted attack. Currently real-time capture and analysis
technologies are used to detect known forms of hacker behaviour, general misuse and to detect
potentially malicious anomalous behaviour.
a) Describe the advantages and of implementing Network Intrusion Detection Systems
(NIDS) in a network and the issues you can’t resolve by implementing a NIDS
[8 Marks]
b) State and explain how do you address above issues by adding a Host-based Intrusion
Detection System (HIDS) to the network and what are the downsides of HIDS
[8 Marks]
c) State the types of attacks that may be picked up by an Intrusion Detection Systems
[3 Marks]
d) Describe the following Anomaly detection measures and techniques used by IDS sensors
to detect intrusions that can’t be captured by Firewalls
i. Signature Detection
ii. Threshold Detection
[6 Marks]
[Total 25 Marks]
Q.4
a) Explain the three information security goals or the concept of CIA triad. i.e Confidentiality,
Integrity and Availability
[6 Marks]
b) Draw diagrams to briefly describe the following four types of active attacks.
i.
Masquerade
ii.
Replay
iii. Modify/alter
iv.
Denial of Service
[8 Marks]
Page 3 of 19
c) Draw model diagrams with components and describe Symmetric Key Encryption and
Asymmetric Key Encryption.
[8 Marks]
d) Compare and contrast advantages and disadvantages of both Encryption technologies in
terms of their applications
[3 Marks]
[Total 25 Marks]
Q.5
Security was the major barrier for proliferation of Wireless networks within the corporate business
environment and however the modern security mechanisms have addressed the major security
weaknesses of the Wireless technology
a) Illustrate the flaws of WEP encryption method used in wireless networks. Explain how the
evolution of WPA and WPA2 protocols overcomes the weaknesses in Wireless security.
[15 Marks]
b) When penetration testing a wireless network, the process is divided to three phases –
Reconnaisance Phase, Exploit Phase and Reporting Phase. Explain the activities that take
part in each of these phases.
[10 Marks]
[Total 25 Marks]
END OF QUESTIONS
Page 4 of 19
Answers
Q.1
Intruders often attack and interrupt the service availability of Web Servers to prevent E-commerce
sites from online trading.
a) Discuss the various types of security threats have on an E-commerce web site and the
security approaches available to mitigate the threats.
[8 Marks]
b) Explain the impact of Denial of Service (DoS) attack and discuss the motivations behind
Denial of Service attacks.
[8 Marks]
c) Describe in detailed SYN Flood, the original DoS attack that an intruder could use to bring
down a Web server and denies services. Use a diagram to illustrate your answer.
[6 Marks]
d) Describe the defenses that could be applied to mitigate SYN Flood
[3 Marks]
[Total 25 Marks]
Answer:
a)
 The Internet and the Web are extremely vulnerable to compromises through various means,
with a range of threats impacting to the following security goals







Integrity
Confidentiality
Availability
Authentication
Passive attacks: Eavesdropping on network traffic between browser and server and gaining
access to information on a Web site that is supposed to be restricted (Attack on
Confidentiality)
Active attacks: Impersonating another user, altering messages in transit between client and
server, and altering information on a Web site. (Attack on Integrity)
CGI and related vulnerabilities in Source Code, availability of types of attacks like SQL
Injection and Cross Site Scripting have increased the threat levels of E-commerce web sites
Page 5 of 19
Security Approaches:
IPSec:



Establishes a secure tunnel between client and the server.
The two ends are authenticated, for example through a shared secret using Diffi-Helman
algorithm
The data traverse through tunnel is encrypted (DES, 3DES, AES protocols) and
authenticated (MD5, SHA algorithms)
Secure Sockets Layer (SSL):





The Internet standard known as Transport Layer Security (TLS)
Use of TCP to provide a reliable end-to-end secure service
Three higher-layer protocols are defined: Handshake Protocol, Change Cipher Spec
Protocol, and Alert Protocol
Confidentiality: using symmetric encryption with a shared secret key defined by
Handshake Protocol (AES, IDEA,DES, 3DES, RC4, etc)
Integrity: Using a MAC with shared secret key
HTTPS (HTTP over SSL):


Combination of HTTP & SSL/TLS to secure communications between browser & server
PKI: Use of Public and Private Key pair for security
 Web server’s data is encrypted with it’s Private Key and the Public key is shared to
the clients for decrypting and accessing the data.
 Certificate Authorities (ICAs) ensure that the clients are shared with the legitimate
web server’s Public Key, ensuring that the clients access and share the confidential
information (Eg. Credit card) with the legitimate web site


A DoS attack disrupts or completely denies service to legitimate users.
DoS attacks can take many forms.
b)
Page 6 of 19
 Overloading the target system by consuming all the resources (disk space, bandwidth,
buffers)
 Making a network device (router or switch) crash, thereby making any attached
devices such as E-commerce web site is inaccessible.
 Famous to Yahoo, eBay, Buy.com, CNN.com, E*TRADE and ZNNet
Motivation




Manny tools are available. Many DoS tools are of the type point-and-click and require very
little technical skill to run
It is often easier to disrupt or crash the operation of a system than to gain access.
If an attacker is frustrated by the security of a particular site, then the final resort may be
to launch a DoS attack.
Also there are individuals who have personal or political disputes
c)


The source system sends a large number of TCP SYN packets to the target system, with
spoofed source IPs that do not exist
The SYN packet indicates the start of the three-way handshake that creates the connection.
The target system responds with a TCP SYN ACK packet, to acknowledge the SYN packet
received. The target system puts the new connection information into a pending buffer and
waits for the reply. With this attack the connection is never completed, since the source IPs
are spoofed IPs that do not exist and so will never complete the three-way handshake. Then,
the target’s buffer will be overwhelmed and legitimate users are blocked
d)

This type of attack is often very difficult to identify until it is well under way, Several
defences are available as follows.
Page 7 of 19
 Reduce the timer wait – however, this would penalise legitimate users with slow
connections.
 Increase the size of the buffer dedicated to half-open connections.
 Install network devices are capable of identifying SYN flood attacks
 Many commercial firewalls are capable of reducing the effects of SYN floods, by
intervening between the target server and the incoming connection. If the
acknowledgement is not forthcoming the firewall sends a reset (RST) packet and drops the
connection.
 Use a network-based intrusion detection system that can identify SYN flood attacks.
Q.2
a) Discuss the role of a firewall within a large Internet based organization. Include in your
answer why more than one firewall would be needed and where, typically, you would
expect them to be deployed.
[8 Marks]
b) Explain in detailed Stateful Packet Inspection Firewall in contrast to the Stateless Firewall.
[6 Marks]
c) The externally accessible Web, FTP and SMTP servers are generally not placed inside
LAN. Describe the De Militarized Zone (DMZ), which is the recommended network
location to place these servers and justify their placement
[6 Marks]
d) Discuss the limitations of Firewall in protecting networks and systems from potential
security threats and attacks. You need to explain the things that Firewalls can’t do
[5 Marks]
[Total 25 Marks]
Answer:
a)
The roles of a firewall in a network are,
 A choke point of control and monitoring and typically placed at the perimeter of the
network
 Interconnects networks with differing trust
Ex. Internal LAN, Outside Internet and DMZ
 Imposes restrictions on network services and only authorized traffic is allowed for
authorized users
Page 8 of 19
Ex. Set of internal users are allowed access to internet through HTTP ( port 80), HTTPS (port
443), and FTP (port 21) applications
 Auditing and controlling access. Can implement alarms for abnormal behavior
 Provides perimeter defence. i.e. all inbound access from internet to Inside LAN is
prohibited
 Defences against DoS attacks
A typical secure Firewall design architecture:
This is a most secure Firewall configuration


Two packet filtering Firewalls are used – one between the bastion host and the Internet and
another one between the bastion host and the internal network. Creates an isolated
subnetwork, or DMZ which may contain the bastion host, and publically accessible servers.
Typically both the Internet and the internal network have access to hosts on the screened
subnet, but traffic across the subnet is blocked.
This now provides three levels of defence. The outside Firewall advertises only the
existence of the screened subnet to the Internet, therefore the internal network is invisible
to the Internet. Similarly, the inside firewall advertises only the existence of the screened
subnet to the internal network. This means that systems on the inside network cannot
construct direct routes to the Internet.
b)
Stateful Packet Filtering:



Traditional packet filters do not examine higher layer context. ie matching return packets
with outgoing flow
Stateful packet filters address this need. They examine each IP packet in context by,
 Keeping track of client-server sessions (three-way handshake)
 Checking each packet validly belongs to one
Hence are better able to detect bogus packets out of context
Page 9 of 19
Stateless Packet Filtering:
 Internal network connected to Internet via router firewall
 Router filters packet-by-packet, decision to forward/drop packet based on:
 source IP address, destination IP address
 TCP/UDP source and destination port numbers
 ICMP message type
 TCP SYN and ACK bits
Example rule: Block outgoing port 80 web access to set of internal IPs
c)





Demilitarized Zone is a portion of the network that is untrusted
Systems in the DMZ can not be fully trusted
Normally delimited by firewalls
Restrict access to systems on the internal network
Typically the externally accessible application servers such as WWW, FTP, SMTP and
DNS are hosted in DMZ secure and untrusted zone, because those servers are
susceptible to attack
Page 10 of 19


In case of compromization of respective servers, there is no impact to the internal
network that has the confidential data
Firewall rule architecture:
Only the required application port (Ex. 80, 443, 21, 25) access is allowed from Internet
to DMZ severs and no access or strict restricted access is allowed from DMZ servers
to internal network
d)
A firewall can’t protect from,
 Attacks that originate on the internal network
 Poorly trained network administrators
 Social engineering attacks
 Viruses and Trojans that have been downloaded by your users
Vulnerabilities or limitations of a Packet Filtering Firewall
 If the rules allow the connection it allows attack against a server located behind a packet
filtering
 Have limited decision capabilities
 Only look at a small portion of the IP packet
Q.3
Intrusion Detection Systems (IDS) are designed to warn network administrators when networks
are under attack, or if there has been an attempted attack. Currently real-time capture and analysis
technologies are used to detect known forms of hacker behaviour, general misuse and to detect
potentially malicious anomalous behaviour.
a) Describe the advantages and of implementing Network Intrusion Detection Systems
(NIDS) in a network and the issues you can’t resolve by implementing a NIDS
[8 Marks]
b) State and explain how do you address above issues by adding a Host-based Intrusion
Detection System (HIDS) to the network and what are the downsides of HIDS
[8 Marks]
Page 11 of 19
c) State the types of attacks that may be picked up by an Intrusion Detection Systems
[3 Marks]
d) Describe the following Anomaly detection measures and techniques used by IDS sensors
to detect intrusions that can’t be captured by Firewalls
iii. Signature Detection
iv. Threshold Detection
[6 Marks]
[Total 25 Marks]
Answer:
a)
NIDS Advantages:



Is completely hidden so the attacker does not know they are being monitored
One NIDS can monitor a large number of potential target systems
Can capture the contents of all packets travelling to the target systems
Issues that NIDS can’t resolve:




Only works if the traffic matches preconfigured rules or signatures
Can miss traffic of interest due to high bandwidth utilisation or bypassing (alternate
route)
Cannot determine if an attack was successful
Switched networks require special configuration so that the NIDS can see all the traffic
b)
Addressing above issues through HIDS:



HIDSs, with their ability to monitor events local to a host, can detect attacks that cannot
be seen by a NIDS. HIDSs can often operate in an environment in which network traffic
is encrypted, when the host-based information sources are generated before data is
encrypted and/or after the data is decrypted at the destination host
HIDSs are unaffected by switched networks.
When HIDSs operate on OS audit trails, they can help detect Trojan Horse or other
attacks that involve software integrity breaches. These appear as inconsistencies in
process execution.
Page 12 of 19
Disadvantages of HIDS:






HIDSs are harder to manage, as information must be configured and managed for every
host monitored.
HIDS may be attacked and disabled as part of the attack.
Not well suited for detecting network scans or other such surveillance that targets an
entire network, because the IDS only sees those network packets received by its host.
HIDSs can be disabled by certain denial-of-service attacks.
When HIDSs use operating system audit trails as an information source, the amount of
information can be immense, requiring additional local storage on the system.
Use the computing resources of the hosts they are monitoring, therefore inflicting a
performance cost on the monitored systems
c)






DNS zone transfers
Port scans – sequential scanning – stealth scanning
DoS attack
Ping-of-death / Teardrop / Land / Winnuke – variations of malformed IP packets
Guessing / cracking passwords /brute force attacks
Copying viewing sensitive data / databases
d)
i. Signature Detection


Observe events on system and applying a set of rules to decide if intruder
Approaches:
 rule-based anomaly detection
○ analyze historical audit records for expected behavior, then match with
current behavior
 rule-based penetration identification
○ rules identify known penetrations / weaknesses
○ often by analyzing attack scripts from Internet
○ supplemented with rules from security experts
ii. Threshold detection




counts, with some level established as permissible
number of files accessed by a user in a given period
number of failed attempts to login to the system
amount of CPU utilized by a process
Page 13 of 19
Q.4
a) Explain the three information security goals or the concept of CIA triad. i.e Confidentiality,
Integrity and Availability
[6 Marks]
b) Draw diagrams to briefly describe the following four types of active attacks.
a. Masquerade
b. Replay
c. Modify/alter
d. Denial of Service
[8 Marks]
c) Draw model diagrams with components and describe Symmetric Key Encryption and
Asymmetric Key Encryption.
[8 Marks]
d) Compare and contrast advantages and disadvantages of both Encryption technologies in
terms of their applications
[3 Marks]
[Total 25 Marks]
Answer:
a)
Confidentiality (covers both data confidentiality and privacy):
Preserving authorized restrictions on information access and disclosure, including means for
protecting personal privacy and proprietary information. A loss of confidentiality is the
unauthorized disclosure of information.
Integrity (covers both data and system integrity):
Guarding against improper information modification or destruction, and includes ensuring
information non-repudiation and authenticity. A loss of integrity is the unauthorized modification
or destruction of information.
Availability:
Ensuring timely and reliable access to and use of information. A loss of availability is the
disruption of access to or use of information or an information system.
Page 14 of 19
b)
i. Masquerade of one entity as some other
ii. Replay previous messages
iii. Modify/alter (part of) messages in transit to produce an unauthorized effect
Page 15 of 19
iv. Denial of Service or prevents or inhibits the legitimate use
c)
Symmetric Encryption:





Plaintext - original message
encryption algorithm – performs substitutions/transformations on plaintext
secret key – control exact substitutions/transformations used in encryption algorithm
ciphertext - scrambled message
decryption algorithm – inverse of encryption algorithm
Asymmetric Encryption:
Private Key: keep secret
Public Key: distributed to others
Page 16 of 19
The two keys are mathematically related such that:
 Either key can encrypt but the ciphertext can only be decrypted with the other key,
 No key can be determined from knowledge of the other key
 The two keys are unique; no other keys in key- pairs are similar anywhere.
d)
 Symmetric Encryption
Advantages :
 Fast encryption/decryption - in seconds whereas other methods take minutes,
 Difficult to crack especially if key is long
 Authenticates the sender as one of those who has access to the key
Disadvantages:
 All users must keep key secret
 Distributing a new key is difficult
 Cannot communicate secretly with anyone who does not have the key
 Asymmetric Encryption
Advantages:
 Extremely secure
 Relatively fast
Disadvantages:
 Complexity in sharing the key
 More damage if compromised
Q.5
Security was the major barrier for proliferation of Wireless networks within the corporate business
environment and however the modern security mechanisms have addressed the major security
weaknesses of the Wireless technology
a) Illustrate the flaws of WEP encryption method used in wireless networks. Explain how the
evolution of WPA and WPA2 protocols overcomes the weaknesses in Wireless security.
[15 Marks]
b) When penetration testing a wireless network, the process is divided to three phases –
Reconnaissance Phase, Exploit Phase and Reporting Phase. Explain the activities that take
part in each of these phases.
[10 Marks]
[Total 25 Marks]
Page 17 of 19
Answer:
a)



In Wireless LANs, everything is broadcasted
Thus the security is essential
Three security issues to be addressed
 Authentication –right key
 Confidentiality –encryption
 Integrity –check sum
Weaknesses with Wired Equivalent Privacy (WEP):

Key distribution is a problem –how to publish. Anyone stealing a mobile has the WEP
key
 Based on the RC4 symmetric stream cipher. Only 40 bits are private –easily cracked
 A WEP key can be derived in 1M to 4M frames using statistical analysis
 Attacker can send a known plaintext to an observable wireless client (i.e. via email).
Attacker will ‘listen’ to wireless LAN and waiting to see predicted ciphertext. Once
attacker ‘sees’ the ciphertext, key stream is derived
How WPA overcomes the security weaknesses




WiFi Protected Access was developed by the WiFi Alliance and IEEE
Ternary Key Integrity Protocol (TKIP) for encryption with following features
 Per packet keying
 Message integrity check
 Broadcast key rotation
802.1x based on Extensible Authentication Protocol (EAP) for authentication that
supports numerous Authentication mechanisms for the clients through a user account
database.
WPA2 or 802.11i (June 2004) uses improved algorithms for encryption & key
management
b)
Phase 1 - Reconnaissance
Reconnaissance involves gathering information regarding a potential target without the targeted
individual’s or knowledge of the Wireless network. It’s usually done using following
methodologies in Wireless LANs.
Page 18 of 19






Using wireless sniffers: Understanding WLAN card operating modes, sniffing in
managed mode, sniffing in monitor mode, RFMON sniffing
Monitor mode sniffing on Windows, Linux and Mac OS
Analyzing wireless traffic with Tcpdump, Wireshark and Kismet
Identifying wireless networks with Kismet
Mapping wireless networks with gpsmap, Google Maps, Google Earth
Live Network Mapping, using gpsmap to map wireless networks in the area
Phase2 - Exploit Phase


Focuses on establishing connection and gaining access to Wireless system or resource by
bypassing security restrictions
Some common Wireless attacks are,
TKIP Attacks
 TKIP break, TKIP replay attacks
 TKIP countermeasure DoS attacks
 TKIP plaintext recovery attacks
DoS Attacks
 DoS attack targets including PHY, MAC and client attacks
 Physical medium attacks with the Wave Bubble, common jammers
 MAC attacks, authentication and association floods, de-authenticate and disassociation
floods, Beacon DS Set DoS
 Hidden node problem, RTS/CTS medium management, medium reservation attacks,
RTS/CTS co-opting
 Client attacks including rogue AP DoS, NULL SSID DoS, 802.1X authentication flood
Phase3 - Reporting Phase
Finally, a report is produced summarizing the penetration testing process, analysis and
commentary of vulnerabilities identified in the Wireless network. Critical vulnerabilities identified
should be addressed immediately to the overseeing management.
Page 19 of 19