This examination covers a wide array of network security topics, starting with a PCAP analysis challenge where Peter, the Network Security Manager, unravels a potential attack on his organization’s e-sales system. We delve into identifying anomalies in the traffic and tools used by the attacker, shedding light on their tactics and the compromised host. Wireshark filtering techniques come into focus as we explore Peter’s investigative methods.
The second question shifts the focus to Port Address Translation (PAT) in a small office scenario. We provide a detailed PAT table, ensuring that internal and external network addressing align accurately. This exercise highlights the importance of maintaining source port consistency.
Question 3 delves into the world of firewall design for Reliable Power Supplies (RPS). A dual firewall system, demilitarized zone (DMZ), and special host considerations are detailed. The security policy requirements, including NAT, packet filtering, and proxy usage, are outlined. The provided tasks include creating a network layout showcasing all network components, complete with labeling and IP addresses.
Lastly, Question 4 explores the distinctions between DNS Poisoning and ARP Poisoning attacks. We analyze the complexity of execution, consequences, and countermeasures for both, emphasizing the need for advanced security protocols like DNSSEC and static ARP entries. This comprehensive assessment offers an in-depth exploration of network security principles.
COIS23001 Network Security Term 3 2015
Assignment 1
Question 1: PCAP Analysis [10 marks]
Note: for this question, you need to download a PCAP file located in the course Moodle web site.
Peter is the Network Security Manager for a small spare parts business. The organisation uses an
e-sales application to provide a front-end for its e-sales business. Customers are complaining that
in the last two or three days the system has become very slow, taking them longer than normal to
place their orders. This information has been corroborated by staff complaining that they are not
happy with the slow response of the system to complete their daily activities. Peter suspects that
the system has been the target of criminal hands and before he starts responding to the attack, he
decides to investigate a little further the issue. First, he reviews the firewall logs and notices
something abnormal in the type of traffic directed to a number of internal hosts including the
organisation’s web server. Curious about this traffic, Peter uses Wireshark to capture a trace of
the traffic. [A section of this trace can be accessed from the course Moodle web site].
Based on the above fictional scenario and the provided PCAP:
(a) Identify the anomaly in the traffic this organisation is going through (1 Mark). What sort
of evidence do you have to make this claim? (2. 0 Marks).
From a single source, there are numerous TCP and ARP packets being sent which is
unusual for any network component. The sender MAC address: Dell_66:95:16
(78:2b:cb:66:95:16) sends numerous ARP packets as broadcast messages to flood the
cache and then cause the server to be flooded.
(b) What sort of utility or tool do you think probably the “attacker” is using to conduct this
attack? (1 mark)
The attacker is using Arpspoof, Arpoison or Ettercap type of network tool to conduct this
attack.
(c) Provide the IP address of the host used by the perpetrator (1 Mark). Based on this
information, what can you tell about the profile of this individual? Explain why (3
Marks).
The IP Address of the host being used is 138.77.216.10 after packets being sent from
138.77.216.12. According to this information, the attacker is using a compromised host of
the network through which he is being able to send ARP packets as broadcast messages.
The attacker probably got hold of one of the internal network hosts to do the attack.
(d) What Wireshark filter do you think Peter used to produce the given PCAP? Explain why
(2 Mark).
Wireshark display filter is used to produce the given PCAP. This has been done to
achieve packet filtering with colour coding and rules.
(Note: One to three lines for each answer is sufficient length to get full marks)
COIS23001 Network Security Term 3 2015
Assignment 1
Question 2 10 Marks
A small office has a single external IP address and a small router that provides PAT. The office
router’s external IP address is 65.64.72.103 and two of the internal hosts have the IP addresses
10.0.0.10 and 10.0.0.11. The hosts periodically connect to an external Web server at
139.78.9.245 and a mail server at 65.64.72.104.
Copy and complete the following PAT table, with the appropriate values.
Packet addressing on internal network Packet addressing on external network
Source IP Source
Port
Destination
IP
Dest.
Port
Protocol Source
IP
Sourc
e Port
Destinatio
n
IP
Dest.
Port
10.0.0.10 1033 139.78.9.24
5
80 http 65.64.72.1
03
1033 139.78.9.2
45
80
10.0.0.10 1035 65.64.72.10
4
25 smtp 65.64.72.1
03
1035 65.64.72.1
04
25
10.0.0.11 1045 139.78.9.24
5
443 https 65.64.72.1
03
1045 139.78.9.2
45
443
10.0.0.11 1065 65.64.72.10
4
143 imap 65.64.72.1
03
1065 65.64.72.1
04
143
Explanation
Fresh entries were made by the routing device as it has been assumed that no existing port
registration or NAT entry was present. Thus, source ports remain same in the entries.
Port number will not be less than 1024.
Host 1 IP 10.0.0.10
PAT Device
(Router)
Private/Internal Network (LAN) External Network (Internet)
Web Server (port 80& 443)
IP 139.78.9.245
Email Server (port 25&143)
IP 65.64.72.104
External IP
65.64.72.103 Host 2 IP 10.0.0.11
COIS23001 Network Security Term 3 2015
Assignment 1
Question 3 (10 marks) You are the system’s administrator of Reliable Power Supplies (RPS), a medium sized
company that builds UPSs and switched power supplies for the computing industry. Your
task is the analysis, design and configuration of a Firewall System that secures the inbound
and outbound traffic at RPS. After conducting the needs analysis you have a clear picture of
the type of firewall system that best suits RPS.
In the internal network, there is a special host (192.168.1.253/28) running an application that
would be disastrous if it was compromised. Therefore for your design, you opt for a dual
firewall system that you believe is the best option for this specific case. You also go for a
demilitarized zone (Network Address 10.0.0.0/24) containing the e-mail (10.0.0.20/24) and
Web services (10.0.0.30/24) of the company.
Apart from providing NAT services and Packet Filtering, the first firewall (part of the dual
configuration) acts as a Web and FTP Proxy server. This first firewall is connected to the
Internet via 200.27.27.10/25 and to the DMZ via 10.0.0.10/24.
The second firewall is used to filter traffic between the internal network and the DMZ. It is
connected via 10.0.0.254/24 to the DMZ and via 192.168.1.254/28 to the internal network.
The internal network address is 192.168.1.240/28.
The security policy requirements used to configure the firewalls are outlined as follows:
RPS Web server contains public information including a product catalogue that is accessible
to Internet users and it also provides secure online purchasing functionality using SSL/TLS.
The internal users are also allowed to access all RPS WWW services; however they are
allowed to access Internet WWW and FTP services only via the proxy located on the first
firewall via port 3028. As mentioned, the internal network has a special host
(192.168.1.253/28) which has complete access to any host and any services without using
proxy services configured in the first firewall system. The remaining internal hosts must go
via proxy on first firewall.
The security policy requirements also dictate the e-mail server to receive from and send
messages to hosts on the Internet and the internal users; however these internal users are to
retrieve their messages via IMAP.
Any other service which is not explicitly outlined in the security policy should be restricted
from RPS network.
Your tasks:
1. Provide a network layout (network diagram) showing all the components of RPS
network including both firewalls, the email and web servers, the DMZ, and all the
internal hosts (Note that you should draw all the internal hosts. The number of
internal hosts can be found from the internal network address given above). Ensure
you label all hosts (servers, internal computers and firewalls) with appropriate names
and write the IP addresses for each network interface.
Marking (4 Marks):
COIS23001 Network Security Term 3 2015
Assignment 1
2.0 Marks for including all components of the network
2.0 Marks for labeling all hosts with names and respective IP addresses
2. You are required to develop two sets of rules for the dual firewall. One will process
traffic travelling between the Internet to the DMZ and Intranet. The other will process
traffic travelling between the Intranet and the DMZ. You need to also explain what
each rule does.
COIS23001 Network Security Term 3 2015
Assignment 1
Question 4 (10 marks)
DNS and ARP poisoning attacks are similar; however there are fundamental differences between
the two. You are to research these specific differences contrasting the way the attacks are
conducted and some of the countermeasures available. Ensure you use at least three in-text
academic references to contrast these attacks (include neither your textbook nor Wikipedia in
these references. Failure to do so may not give you marks).
Remember that you are not to repeat in your research what DNS and ARP poisoning attacks are.
We already know that from our discussions in class. In writing about the differences between the
two types of attacks, contrast for example the complexity of the attacks (which one is easy to
conduct and why), the impact (consequences) of the attacks, which one is more common and the
different mechanisms available to counter the attacks. Write no more than 300 words (about a
page including in-text references).
Marking (10 Marks):
2.5 Marks for contrasting the complexity of the two type of attacks
2.5 Marks for contrasting the impact (consequences) of the attacks
2.5 Marks for contrasting the countermeasures
2.5 Marks for the format of the writing (referencing, grammar and structure)
DNS Poisoning and ARP Poisoning are similar attacks yet have some basic differences. DNS
modification is utilized in DNS poisoning whereas for ARP Poisoning, spoofed messages are
used to directly attack the victim’s computer. In the ARP Poisoning attack, the attacker does not
modify the DNS table (Son & Shmatikov, 2010). DNS poisoning is more like traffic reroute
whereas in ARP poisoning, the attacker becomes the middle man between the victim and
network, intercepting all data. ARP Poisoning is more complex to conduct as for this, attacker
needs a compromised host of the network or needs to be connected to the same network.
Denial of Service is a common consequence of both the DNS Poisoning and ARP Poisoning.
ARP poisoning leads to the interception of sensitive data and also facilitates for various other
attacks such as the man in the middle attack and session hijacking (Callegati, Cerroni & Ramilli ,
2009). However, the loss of sensitive data is not possible in DNS Poisoning in the initial stages as
the attacker needs to reroute the host to a server/web page with infected files and malware. Thus
the attacker gets complete control of the victim’s machine in ARP Poisoning in the initial stages
but in DNS Poisoning, the attacker controls the DNS and the content being sent to the victim
from the server.
Application level cryptography implemented in the deployed secured DNS (DNSSEC) is one of
the best ways to authenticate the data being received from DNS server, preventing DNS
poisoning to a great extent. End to end validation with digital signatures can achieve the same.
Protocols developed should not rely on trust relationships. ARP Poisoning can be prevented by
allowing only static ARP entries, increasing the OS security and using Secure Shell (SSH)
(Tripathy & Goyal, 2005). Packet filtering and spoofing detection software can help prevent both
the attacks.