A single router connects an educational institution’s internal network to Internet via a gateway router.
The public address range for the institute is 220.127.116.11/16. The gateway router has address address 18.104.22.168 via its external interface (referred as interface ifext).
The internal network is made up of four subnets.
A DMZ refers to an interface ifdmz attached to the gateway router. This uses address range 22.214.171.124/24.
A small network known as shared. The interface ifint is the gateway router that connects to three other routers, which are called staff_router student_router research_router.
This network uses 10.3.0.0/16 network address and has only four routers.
The staff subnet is intended for use by employees only and is attached the staff_router router. It uses network addresses 10.3.1.0/24.
A student subnet that is intended for student use is attached to the student_router router. This uses network address 10.3.2.0/24.
A research subnet is a network that research staff can use. It is attached to the research_router router.
There are four routers within the network: one for the gateway router, as well as routers for each of subnets staff, student, or research.
There are five subnets.
Two servers can be accessed from the Internet by all DMZ members: a webserver that supports HTTPS or HTTPS, and a SMTP server.
Only staff, student, and research subnets have access to the web server. Members of the subnet for staff can only access the email server using IMAP.
The gateway router also acts as a stateful firewall for packet filtering and port address translation.
The security requirements of the educational institute include the DMZ setup described above.
External Internet users are not allowed to access internal computers, except in DMZs and as described in other requirements.
Students, staff and researchers have access to the Internet.
Researchers on the research subnet run a server to share data with research partners other than the educational institute.
The server offers SSH access as well as a specialised file transfer protocol using TCP. It also allows for port 1234 communication to the partners.
The server’s internal address is 10.3.3.31. NAT on the gateway router maps the public address 126.96.36.199 directly to the internal address.
There are currently two partner organisations that have the ability to access the server. Their network addresses are 188.8.131.52/24 or 184.108.40.206/24.
The researcher who leads the research staff also needs access to the data sharing site while they’re at home.
A commercial ISP allocates IP addresses to the professor at home. It is in the range 104.55.0/16.
Answer the following questions based on the above information:
Draw a diagram that illustrates the network.
While there could be many computers in each of the subnets (staff, student, or research), you will only need to draw three computers for the staff subnet. Three computers should also be drawn in the student subnet. Three computers can be drawn in the research section. One computer in that subnet should be the data-sharing server.
You must label all router interfaces and computers with IP addresses.
The table below shows how to specify firewall rules.
Rows can be added or removed as necessary.
You can add a explanation to the table after the table.
Think about the rule(s), that allow the professor to access the internet from his/her home.
Discuss the limitations and propose possible solutions.
Objective: Recognizing the key challenges in securing WiFi networks
Explain what a MAC Address Filter is and how it can be used to protect WiFi networks.
Also, explain at least two limitations.
AES is used in WPA-Personal’s (CCMP) encryption.
Consider the key used in WPA Personal (CCMP) and the typical passphrase chosen by home users.
Consider the differences, e.g.
Discuss the differences (e.g., length, character set, and conversion of the passphrase to an AES Key), and talk about a brute force attack on WPA Personal on home deployments.
Objective: Learn what makes a strong passphrase and how it can be difficult to use for most users
Your role is to manage the IT security for about 100 employees.
Users all use the same computers in their offices (PCs and laptops), but they also use other computers to do work, such as personal mobile devices or shared computers.
One example is that a user might have a Windows PC in their office and occasionally use a Windows PC/Mac in a lab or shared space. However, they may also regularly use their Android or iOS smartphone for work purposes.
There are many operating system options for both mobile and desktop devices.
You will be responsible for educating users on passwords and recommending solutions to the organisation.
Two options are available to you for password management.
This option allows you to recommend policies to your management, provide user training, and apply password management rules in different systems (e.g.
When passwords have been created.
Most users won’t use password management software for this purpose.
All users must use the same password management software.
This option requires that all users use the same password management program (e.g.
LastPass, KeePass and wallet’ software are not available.
Consider Option 1 first. Answer the sub-questions below.
You are currently planning the user training session.
You’ve already given information to users about password lengths (e.g.
You have already explained to users about password lengths and character sets (e.g., minimum recommended length, types characters to include).
You can also list three (3) additional recommendations that users should be aware of in regards to password usage.
Explain each recommendation in detail. Describe the benefits and drawbacks of each.
This is an example:
It is a good idea to do…
Doing this has the benefit of…
This has one drawback:
(Note: You can’t use the password length and characters set as a recommendation. You must choose other recommendations.
You design the technical controls for the password checking system that users use to register or create a new password.
A minimum of 8 characters is the minimum password length that you’ve decided to establish.
You should also list three (3) other rules.
Each rule must be clearly stated, with one advantage and one negative.
Ex: “Rule 1.
A password should not exceed 8 characters.
This rule has the following advantages:
The downside of this rule?…
(Note: You can’t use the password length as an option – you have to choose 3 rules.
Character set can be considered a rule but it cannot count as more than one rule.
Consider Option 2 and answer the following questions.
Give a brief overview of password management software, including its features and functions.
This summary is meant for users and managers to understand.
The advantages and disadvantages associated with a password manager application are discussed (in comparison to using a non-password management application).
A web-based password management tool, such LastPass, can be compared against a standalone password management program, such KeePass.
Compare the different approaches and explain the advantages and disadvantages.
If standalone password management software is being used, suggest where the password database(s for each user should be kept.
Explain why you prefer this method.
Certificates and HTTPS
This question can be answered using virtnet, which is the same tool used in workshops to study HTTPS certificates.
This assumes that you already know how to set up and use virtnet.
Moodle and workshop instructions provide information about setting up and using virtualnet, deploying the website, as well testing the website.
Your task is to
In virtnet, create topology 5.
Use the MyUni demo website to deploy on the nodes
Install the webserver in order to support HTTPS.
Capture traffic using the web browser at node1 to the HTTPS session on the web server.
Save the file to https.pcap.
You can test and analyze the HTTPS connection.
These sub-questions are based on the analysis and test.
Send your certificatepemand HTTPS capture https.pcap to Moodle.
Draw a message flow diagram that shows the SSL packets associated with the first TCP connection.
Refer to assignment 1 for instructions and additional requirements.
Draw only the SSL packets. Do not draw TCP ACKs, the 3-way handshake, or connection close.
Use Wireshark to filter the packets that belong to the first TCP connections.
The protocol may be labeled “TLSv1.2” or “TLSv1.2” depending upon your Wireshark version.
A single TCP packet could contain one or more SSL messaging (in Wireshark, look inside each packet for every “Record Layer” entry to find the SSL message name).
You must draw each SSL message.
If there are multiple SSL messages in a TCP package, draw multiple arrows and label each one with the SSL message number.
Be clear about which packets/messages have been encrypted.
Based on your understanding of HTTPS and the capture:
What port number does HTTPS use by the web server?
What symmetric key encryption was used to decrypt the data
What public key cryptoher was used to exchanging secret information?
What cipher and which hash algorithm is used to sign the web server certificate?
You had to manually load this CA certificate into the client (lynx Web browser) in order to complete the task.
This is unnecessary for real networks. In other words, the web browser user doesn’t have to load CA certificate. It is normally loaded already.
Explain how the web browser knows the CA certificate, and the limitations of this approach.
Objective: Learn about advanced techniques and the benefits of Internet privacy technologies (including VPNs) and understand their disadvantages.
The Internet uses encryption to protect data confidentiality. This means that other entities along the communication path between two hosts can’t read data being sent.
But encryption does not protect the identity of those communicating.
Even though the data cannot be read by other entities, they can identify which hosts are communicating.
Here is a view of an Internet route where client C communicates using IPv4 with S.
A malicious user might want to access information about the communication and times. He could have access to router (router Rm) to get this information.
They can capture packets on the router.
Note that Rm does not connect directly to subnets C and S.
What information can the malicious person learn about C and S?
Take into account both computer addresses and information that might identify the human user (e.g.
Names and locations, and describe how the malicious user might obtain this information.
What does Network Address Translation, (NAT) change in your answer to subquestion (a), if Network Address Translation is used in the subnet C (but not S)?
Virtual Private Networks (VPNs) are one method to provide privacy on the Internet.
Consider client C using a VPN server located on a router on the path between C (and S) but not on Rm.
What information could a malicious user gain about who communicates when C and S talk via VPN?
A VPN server can have some disadvantages. For example, it may not perform as well as S. It is also more difficult to trust the VPN server. Logs could also be requested or accessed by malicious users.
Let’s talk about each one of these potential drawbacks.
Tor uses Onion routing to protect its users’ privacy.
It is generally considered to offer more privacy than using VPNs.
These sub-questions will require that you learn the basics about Tor.
Explain how Tor, or onion routing, works.
Consider the example of C and S.
It is possible to imagine how C could communicate with S using Tor instead of a VPN.
What are the differences between Tor and VPN?
What are the cons of Tor computer-to VPN?
Figure 1: Network Diagram
Frist rule permits one of the partners to establish the SSH link and transfer the files using TCP-based connection
Frist rule permits one of the partners to establish the SSH link and transfer the files using TCP based connection
Rule three will allow traffic from staff to connect to the DMZ for HTTP/HTTPS based messages
Rule 4 will allow traffic from the student subnet for connection to the DMZ of HTTP/HTTPS based messages
Rule 5 will allow traffic from the research network to connect the DMZ of HTTP/HTTPS based mails
Rule 6 will allow traffic from research units to communicate with the DMZ based email server using the SMTP protocols.
This rule will allow professors from subnet 104.55.0/16 with any IP to access network DMZ using TCP protocols.
MAC Address Filtering
MAC filtering allows wireless devices to be filtered based their MAC addresses.
It allows network administrators the ability to restrict access and to block other devices from the network.
This is an inbuilt feature of many wireless routers and AP.
What is a MAC Filter and how does it affect security?
The inbuilt feature allows you to whitelist and blacklist any system on your network based on their MAC addresses.
Further configuration is possible on the allowed systems.
The whitelist works better than the Blacklist, as systems that are in whitelist are those allowed to access the system. This gives you better security than blacklist.
The MAC address filtering matches all devices that wish to access the network. If a device is not listed, then the MAC addressing would prevent the device from joining it.
Limitations on MAC Address Filter
You must add a new device to the whitelist to allow it to connect to the network.
You will also need to update your MAC addresses. However, this is necessary for any device, wireless or wired.
Hacker Spoofing MAC addresses will make it impossible to use MAC filtering in order to connect with the network.
The hacker uses a specialized program called “sniffer” to obtain this information. This program intercepts the data flowing across the network and can sniff the MAC addresses of devices communicating with it.
How to calculate the key
WPA is an improvement to WEP. It was used to connect wirelessly to APs using the preshared key.
WPA-PSK is an enhancement to WEP. It was supported by many devices. However, older devices had to have their firmware updated in order for them be compatible with WPA.
The key works with TKIP or AES. AES works on a 256-bits key.
This key can either be in 64 hexadecimal figures or 8-64 ASCII character.
If we choose to use ASCII based characters which are most used by home-based users then the 256-bit keys can be calculated by applying PBKDF-2’s derivation function to derive a key based on the passphrase. Then SSID will be used as the salt, and HMAC-SHA1 will be used in 4096 iterations.
Brute Force attack upon WPA
WPA is vulnerable to hacking attacks, just like the WEP.
This attack is more successful if the password chosen or the passphrase chosen are weak.
To protect yourself from brute force attacks, you should use random characters to create your password. But since it is difficult to remember random keys, we will need stronger keywords.
For brute force attacks, 20 characters is the safest length. This number can be taken from the 95-allowed characters.
Password should be subject to an expiry date. It means that the password will expire. You should also not be able use the same string again and create a new password for the next period.
This makes brute force and similar attacks almost impossible. The downside is you have to memorize the current password every now, then again.
Use no dictionary or other information in your password. This has the advantage that hackers will not be able guess your password using your personal data, but it is difficult to remember.
Multi factor algorithms should be used to verify user identity.
Although this adds an extra layer of security to the password, the downside is that we will need the phone number on which the OTP will be received.
No common phrases or words from the dictionary should be allowed
Advantage: A hacker cannot run the dictionary attack. The password is more secure.
The disadvantage: Random characters are hard to remember and manage, so it is easy for users to forget them.
Passwords should not contain personal information like your birthdate, birthday, location, favorite song, or favorite band.
These personal information are easily accessible on social media so we should not include them in our password.
Disadvantages: it is hard to remember and make random passwords.
Use special characters as your password. However, Numerals and special characters can’t be used more often than once in a regular interval.
Advantage: A very hard to guess jumbled password
Advantage: It’s difficult to make a password this complex.
Password managers allow the user to focus on the productive work and not have to remember different passwords to each website.
After authentication of the master password, the password manager will randomly enter the password each time you visit a website.
You can also configure other information such as address and email.
The password manager generates random passwords to protect them from all types of attacks.
A password manager is useful in preventing phishing attacks. The password manager creates random passwords that are only visible on the website it was made. Any other URLs will prompt for new password creation.
Password managers help you manage your passwords. The tools include password storage, password generation, and retrieval of passwords from the database.
There are two types.
The password manager installed determines which services are available. This includes password storage in encrypted format, encrypted database, password storage and password files. They can also be stored locally, remotely, or via an online file sharing service such as Dropbox.
Most password managers require one master password, which allows users to access all of the information stored in them.
There are many advantages to password managers
The passwords are generated randomly and are difficult to guess with any other software.
To make the password manager work, it doesn’t require modification of the application.
The password is kept in encrypted form in the database. This means that no one can access it except you.
It prevents you leaking the same passwords at all websites. This means that you can have different passwords created and linked to one password using the password manger.
Password Managers: Major Drawbacks
Many passwords save passwords as plaintext which is easily readable and vulnerable to hacking.
You might lose the password files that are stored locally. To reset your password for all websites, you should save the backup file to a remote location.
If it is easily guessed or leaked, the master password will allow hackers to gain access to all of the doors. All passwords would then be unprotected.
Multi-factor authentication will add another layer of security. However, it requires another device in order to receive the OTP and verify the device.
The dictionary password generator can easily be hacked by using weak random passwords or over cryptographically protected passwords.
Comparison of web-based and standalone password managers
This password manager is the most popular in the world. It has all the services found in other password managers. However, the services it introduced were either pioneering or had significant improvements over any of its competitors.
The passwords generated are top-quality and are resistant to brute force attack.
LastPass is a browser extensions that stores the files remotely in a secure location. Some of the features can also be used offline.
The password database is protected and encrypted once downloaded. This means that no plaintext passwords will be communicated.
This feature allows the user access to passwords on their own computer without having to use the internet.
This feature has one drawback: it depends on the internet connection to sync or it won’t work.
Because security is an issue, people tend to avoid saving data online. However, storing passwords on the cloud can be a challenge for users to understand the benefits.
KeePass is the perfect software for people who need to not create strong passwords but instead store the entire password data locally on the computer where it is being installed.
The KeePass database can be synced online using the Dropbox feature, but the password file must be uploaded to the cloud. This is one of the greatest disadvantages of such a system.
Standalone password managers store passwords locally on the system. However, we have two options to sync them. One is cloud storage and the other is the storage in an email backup.
Both options will give you the security you need. A standalone password generator stores the files in encrypted format. It hashed checks for any manipulations or modifications. Files are synced from the local backup.
After running this command, the myuni site is now installed on the system. However, it is not secure.
The majority of protocols contain the CA certificate as well as the leaf certificate, along with their respective signatures.
We only need to verify that the root certificate has the valid matching signed. This is why current browsers don’t need to download the CA before they can establish SSL-based connections.
Data packets are sent from one location to another and contain the IP address of the source and destination, as well as the physical addresses.
This physical address can also be used to find out more about the C or S.
Nmap command can be used for either system to retrieve the installed operating system.
IPtarce can be used by malicious users to gain the entire path to any of the systems.
A malicious user might not be able access the C’s physical address or exact address if the NAT traversal was used. However, the IPtrace would allow them to trace the path to the C. However this would not be as powerful as the one without NAT.
C and S establish a VPN tunnel between themselves, which prevents any outsiders from accessing their communication.
Even if a malicious user captures the packets, the tunnel will prevent it from being used. Because the packets have been encrypted, malicious users cannot decrypt them.
Performance can be reduced because encryption and decryption take a lot of time to ensure that the packets are secure.
Trust over VPN. The VPN is the best secure channel. C and S must communicate with each other without fear. But, if the VPN was hacked, malicious users would be able read all the data. VPN won’t make any difference. (London Trust Media 2017).
VPN server logs – A malicious user might ask for or be able get hold of VPN logs. These logs contain all IPs that have communicated with one another and could lead to leakage information that has been transmitted over the secure channel.
Tor’s main goal is to seperate routing and identifying property from each other. This allows for traffic analysis and surveillance to be evaded by any malicious hacker.
It encrypts the packets, bounces them through random relays run by volunteers across the globe. This allows for the most secure communication possible as data may not pass through Rm malicious router nodes using the Tor Browser.
London Trust Media 2017,
Tor Vs VPN: The Advantages
You don’t have trust in any particular path. All paths are random in nature.
Your ISP can’t track your activities anonymously.
VPN is less secure than VPN. It encrypts packets, bounces them through random relays run by volunteers around globe. This ensures most secure communication. Data may not even be able to pass through Rm malicious router node via Tor Browser.
London Trust Media 2017,
Tor Vs VPN: Disadvantages
Tor is frequently blocked by many websites so it’s possible to not be able view the website.
Too slow for P2P networking. The packets are routed via different routes every time. This makes P2P a lot slower
No protection against Tor-malicious or malicious nodes. The packet might be captured and read by the nodes.
Mobile-based password manager that is secure.
Sixth International Conference On Digital Information Processing And Communications (ICDIPC 2016).
Arash Habibi Laschkari, Mir Mohammad Seyed Danesh and Samadi.
Survey on wireless security protocols (WEP. WPA. WPA2/802.11i).
2009 IEEE International Conference On Computer Science And Information Technology.
Bypassing web based wireless authentication systems.
IEEE Long Island Systems, Applications And Technology Conference 2011.
London Trust Media, I.
What are the advantages and disadvantages of Tor vs VPN? vs Proxy?
Conciliating remote home network acces and MAC-address management.
2012 IEEE International Conference On Consumer Electronics.
12 Tcpdump Commands-A Network Sniffer Tool.
Cloud Password Manager Using Privacy Preserved Biometrics.
2014 IEEE International Conference On Cloud Engineering.