Assignment title: Information
Submission Requirements
You are required to submit:
1. A single Microsoft Word file (unzipped) via the Moodle course web site. Details about the
online submission process required for this assessment item are available from the course
website.
2. A copy of mydetails.txt.asc file from Question 5
Question 1:
Snort Rules (10 Marks)
Scenario
A small company has a network set up behind a NAT router. The router is connected to the Internet via a
single ISP provided dynamic IP address. The ISP provided access address may change over short periods of
time.
The internal network is RFC 1918 Category 2 compliant, and uses the private address space 192.168.2.0/24.
The gateway router is configured to use DHCP allocated IP addresses to internal hosts as they connect.
However, a record is kept within the router of what IP addresses have previously been allocated to specific
MAC addresses. Whenever those MAC addressed hosts disconnect from and later reconnect to the network
they are reallocated the same IP address. It is only if the router has a power off episode, or is manually reset,
that allocation of different IP addresses may occur (and even then, the same addresses may be allocated as
before).
The company operates an approved internal web server at 192.168.2.21:80, to facilitate in-house
development of web pages and web sites that will later be deployed to an external server for public access. It
is a company policy that only one approved internal web server is to be in operation on the network.
It has come to the notice of the IT manager that a company employee has set up a rogue web server on the
internal network, using a personal laptop. The employee is using that web site to provide undesirable
material to a small clique of employees, to whom the web server address has been provided secretly.
Considerations
The rogue web server may be on any internal IP address, and will be using any of the ephemeral
ports. It will not be using a well-known port.
The clients accessing the rogue web server may come from any internal IP address using any
ephemeral port.
The MAC addresses of all company host devices are on record.
Page 1
COIS23001 – Network Security – Term 2, 2015
Assignment 2
Your job
Use snort to monitor for any internal network HTTP traffic destined for any internal host on any port
address other than the authorised company internal web server and produce an alert message.
You are to write a .conf file containing the snort rule(s) that will accomplish a solution and run it
against the pcap file provided.
The snort monitoring will identify when breaches have occurred. The Wireshark pcap file containing the
captured packets can be time correlated with the logged snort alerts to obtain MAC addresses for source and
target.
If your rule is correct the alert.ids file will show entries like the following:
[**] [1:1000010:1] Unauthorised HTTP traffic [**]
[Classification: <DELETED>] [Priority: 1]
09/12-19:10:29.439844 192.168.2.5:49496 -> 192.168.2.2:6400
TCP TTL:64 TOS:0x0 ID:18940 IpLen:20 DgmLen:408 DF
***AP*** Seq: 0xE8349C5 Ack: 0xBCB171EE Win: 0xFFFF TcpLen: 32
TCP Options (3) => NOP NOP TS: 1210791384 0
[**] [1:1000010:1] Unauthorised HTTP traffic [**]
[Classification: <DELETED>] [Priority: 1]
09/12-19:10:29.440554 192.168.2.2:6400 -> 192.168.2.5:49496
TCP TTL:128 TOS:0x0 ID:1065 IpLen:20 DgmLen:1300 DF
***A**** Seq: 0xBCB171EE Ack: 0xE834B29 Win: 0xFE9B TcpLen: 32
TCP Options (3) => NOP NOP TS: 195453 1210791384
[**] [1:1000010:1] Unauthorised HTTP traffic [**]
[Classification: <DELETED>] [Priority: 1]
09/12-19:10:29.449929 192.168.2.5:49496 -> 192.168.2.2:6400
TCP TTL:64 TOS:0x0 ID:18942 IpLen:20 DgmLen:367 DF
***AP*** Seq: 0xE834B29 Ack: 0xBCB1799C Win: 0xFFFF TcpLen: 32
TCP Options (3) => NOP NOP TS: 1210791384 195453
[**] [1:1000010:1] Unauthorised HTTP traffic [**]
[Classification: <DELETED>] [Priority: 1]
09/12-19:10:29.450478 192.168.2.2:6400 -> 192.168.2.5:49496
TCP TTL:128 TOS:0x0 ID:1067 IpLen:20 DgmLen:485 DF
***AP*** Seq: 0xBCB1799C Ack: 0xE834C64 Win: 0xFD60 TcpLen: 32
TCP Options (3) => NOP NOP TS: 195453 1210791384
[**] [1:1000010:1] Unauthorised HTTP traffic [**]
[Classification: <DELETED>] [Priority: 1]
09/12-19:10:43.904673 192.168.2.5:49496 -> 192.168.2.2:6400
TCP TTL:64 TOS:0x0 ID:18947 IpLen:20 DgmLen:451 DF
***AP*** Seq: 0xE834C64 Ack: 0xBCB17B4E Win: 0xFFFF TcpLen: 32
TCP Options (3) => NOP NOP TS: 1210791413 195509
[**] [1:1000010:1] Unauthorised HTTP traffic [**]
[Classification: <DELETED>] [Priority: 1]
09/12-19:10:43.913290 192.168.2.5:49497 -> 192.168.2.2:6400
TCP TTL:64 TOS:0x0 ID:18950 IpLen:20 DgmLen:451 DF
***AP*** Seq: 0xBF45540D Ack: 0xBEFA2FE2 Win: 0xFFFF TcpLen: 32
Page 2
COIS23001 – Network Security – Term 2, 2015
Assignment 2
TCP Options (3) => NOP NOP TS: 1210791413 0
[**] [1:1000010:1] Unauthorised HTTP traffic [**]
[Classification: <DELETED>] [Priority: 1]
09/12-19:10:43.913886 192.168.2.2:6400 -> 192.168.2.5:49497
TCP TTL:128 TOS:0x0 ID:1071 IpLen:20 DgmLen:571 DF
TCP Options (3) => NOP NOP TS: 195597 1210791413
[**] [1:1000010:1] Unauthorised HTTP traffic [**]
[Classification: <DELETED>] [Priority: 1]
09/12-19:10:43.919054 192.168.2.5:49498 -> 192.168.2.2:6400
TCP TTL:64 TOS:0x0 ID:18956 IpLen:20 DgmLen:365 DF
***AP*** Seq: 0x18030D8E Ack: 0xCFE60A18 Win: 0xFFFF TcpLen: 32
TCP Options (3) => NOP NOP TS: 1210791413 0
[**] [1:1000010:1] Unauthorised HTTP traffic [**]
[Classification: <DELETED>] [Priority: 1]
09/12-19:10:43.946959 192.168.2.2:6400 -> 192.168.2.5:49498
TCP TTL:128 TOS:0x0 ID:1075 IpLen:20 DgmLen:660 DF
***AP*** Seq: 0xCFE60A18 Ack: 0x18030EC7 Win: 0xFEC6 TcpLen: 32
TCP Options (3) => NOP NOP TS: 195598 1210791413
[**] [1:1000010:1] Unauthorised HTTP traffic [**]
[Classification: <DELETED>] [Priority: 1]
09/12-19:11:11.614057 192.168.2.3:1923 -> 192.168.2.2:6400
TCP TTL:128 TOS:0x0 ID:44619 IpLen:20 DgmLen:496 DF
***AP*** Seq: 0xC9090643 Ack: 0x550D4778 Win: 0xFFFF TcpLen: 20
[**] [1:1000010:1] Unauthorised HTTP traffic [**]
[Classification: <DELETED>] [Priority: 1]
09/12-19:11:11.656165 192.168.2.2:6400 -> 192.168.2.3:1923
TCP TTL:128 TOS:0x0 ID:1079 IpLen:20 DgmLen:230 DF
***AP*** Seq: 0x550D4778 Ack: 0xC909080B Win: 0xFE37 TcpLen: 20
[**] [1:1000010:1] Unauthorised HTTP traffic [**]
[Classification: <DELETED>] [Priority: 1]
09/12-19:11:19.504867 192.168.2.3:1926 -> 192.168.2.2:6400
TCP TTL:128 TOS:0x0 ID:44648 IpLen:20 DgmLen:450 DF
***AP*** Seq: 0xEC018654 Ack: 0x5E762A07 Win: 0xFFFF TcpLen: 20
[**] [1:1000010:1] Unauthorised HTTP traffic [**]
[Classification: <DELETED>] [Priority: 1]
09/12-19:11:19.540195 192.168.2.2:6400 -> 192.168.2.3:1926
TCP TTL:128 TOS:0x0 ID:1082 IpLen:20 DgmLen:555 DF
***AP*** Seq: 0x5E762A07 Ack: 0xEC0187EE Win: 0xFE65 TcpLen: 20
[**] [1:1000010:1] Unauthorised HTTP traffic [**]
[Classification: <DELETED>] [Priority: 1]
09/12-19:11:19.550534 192.168.2.3:1926 -> 192.168.2.2:6400
TCP TTL:128 TOS:0x0 ID:44650 IpLen:20 DgmLen:451 DF
***AP*** Seq: 0xEC0187EE Ack: 0x5E762C0A Win: 0xFDFC TcpLen: 20
[**] [1:1000010:1] Unauthorised HTTP traffic [**]
[Classification: <DELETED>] [Priority: 1]
Page 3
COIS23001 – Network Security – Term 2, 2015
Assignment 2
09/12-19:11:19.590606 192.168.2.2:6400 -> 192.168.2.3:1926
TCP TTL:128 TOS:0x0 ID:1083 IpLen:20 DgmLen:792 DF
***AP*** Seq: 0x5E762C0A Ack: 0xEC018989 Win: 0xFCCA TcpLen: 20
Note: The classification identifier has been deleted.
Tips:
You will need to familiarise yourself with the HTTP header contents. You need to identify some text pattern
in the HTTP header that will unambiguously indicate whether a client is accessing a web server, or vice
versa. (remember, the rogue web server is operating on a non-standard ephemeral port.)
Make sure you include the standard Snort classtypes in your rule. Refer to the SNORT documentation to
determine which classtype is appropriate for this exploit as described above. You will probably have to
make use of the classification.config file (located in the Snort\etc\ directory) – research how
to make reference to this file from your rules file.
Failure to use the correct syntax in your rule will mean the rule is ineffective. This means you will lose
marks on this question.
Note: Duplicating the contents from the text, lecture slides, weekly notes or the Internet is not acceptable
(even if it is referenced) and will not attract any marks. Your solutions must be written in your own words. If
you cannot write your answer in your own words, then you have not yet mastered the topic and require
further reading or advice from your tutor. Any information taken from an external source (either from the
textbook or any other source) must be referenced appropriately. Failure to do so constitutes plagiarism.
a) Identification of Addresses
By inspecting the alert.ids entries you should be able to identify:
1. The IP address, and port number of the device hosting the rogue web server.
2. The IP addresses and port numbers of all devices that have accessed the rogue web server.
You are to enter this information into the table following
Description IP Address Port Number
Rogue Web Server
Accessing Client #1
Accessing Client #2
Explain in your own words how the MAC addresses of these devices can be discovered from the
pcap file.
Question 1 a) Marking Criteria
Up to a maximum of 4 marks for correctly identifying the rogue web server and the accessing
clients' information (table above)). 1 mark for explanation of MAC address identification.
b) Write your SNORT Rule with commenting using table below
Line Number SNORT RULE
1
Page 4
COIS23001 – Network Security – Term 2, 2015
Assignment 2
2
3
4
5
6
7
8
9
10
Question 1 b) Marking Criteria
2.5 marks for commenting and 2.5 marks for rule correctness.
Question 2:
Certificates (10 Marks)
A. Because there are multiple certificate authorities (CAs) for the Web PKI it is possible to buy
multiple certificates for the same domain signed by different CAs. How would a browser treat
these different certificates? (2 marks)
B. ) Suppose that an imposter is able to obtain a certificate for a domain that the imposter
doesn't own. (For example, in January 2001, an imposter tricked VeriSign into signing two
certificates for "Microsoft Corporation" to be used for signing new software to be installed.)
What sorts of attacks could an imposter pull off once in possession of such "fake" certificates for
i. installing software. (2 marks)
ii. Viewing Web pages (2 marks)
C Typically the public SSH keys used by servers are not signed by any
certificate authority, but the SSH protocol does support checking certificates.
i. Why, in practice, are server certificates rarely signed? (2 marks)
ii. What is the benefit of checking server certificates? (2 marks)
Question 3:
Firewall Rules (10 Marks)
Assume you have the following firewall rules:
Transpor
Rul
e
t
No.
Protocol
Source
IP
Sourc
Destination
e
IP
Port
Destinatio
n
Port
Actio
n
Page 5
COIS23001 – Network Security – Term 2, 2015
Assignment 2
1 UDP 0.0.0.0/0 any 129.174.17.180 53 allow
2 TCP 55.66.77.0/24 any 129.174.17/18
3 TCP 55.66.77.12 4500 129.174.17/18
4 TCP 127.0.0.1 443 129.174.17/18
5 TCP 0.0.0.0/0 any 129.174.17/18
6 UDP 0.0.0.0/0 any 129.174.17/18
7 TCP 0.0.0.0/0 any 129.174.17/18
8 TCP 0.0.0.0/0 any 129.174.17/18
9 TCP 0.0.0.0/0 any 129.174.17/18
10 UDP 129.174.16.20 1025 0.0.0.0/0 65535 allow
11 UDP 129.174.20.10
12 UDP 129.174.18.10
13 any 0.0.0.0/0 any 0.0.0.0/0 any allow
14 TCP 0.0.0.0/0 any 0.0.0.0/0 any deny
15 UDP 0.0.0.0/0 any 0.0.0.0/0 any deny
16 TCP 0.0.0.0/0 any 129.57.17.180 6000:6010 deny
17 TCP 0.0.0.0/0 any 129.174.17.180 0:1024 deny
18 any 0.0.0.0/0 any 129.174.17.180 any deny
0
0
0
0
0
0
0
0
0
0
1025 0.0.0.0/0 65535 allow
1025 0.0.0.0/0 65535 allow
22 allow
22 deny
6000 allow
6000 deny
32768 deny
32769 deny
32768 deny
80 allow
a) Define what a rule conflict is and Identify any conflicts. (5marks)
b) Identify any redundancies and explain which rule would be applied using each of the
following 3 matching strategies:
1. FIRST
2. BEST
3. LAST (5 marks)
Question 4:
Firewalls (10 Marks)
a) What is a proxy firewall and how is it different from a network (or transparent) firewall?
(3 marks)
b) What does NAT stand for, and how does the mechanism work? Describe what, if any,
security NAT provides (or fails to provide). (4 marks)
Page 6
COIS23001 – Network Security – Term 2, 2015
Assignment 2
c) Where would you place a web server in an organization assuming that you can use a
network firewall and why? (3 marks)
Question 4 Marking Criteria
A question that is addressed thoroughly will score full marks – a lesser mark will be awarded if
material is missed or the answer is unclear. 0 Marks will be awarded if the answer is copied directly
from sources (i.e. isn't in your own words).
Question 5 10 marks
You are the Chief Information security Officer (CISO) of a small medium sized - accounting Services
Company. In the last few weeks, senior staff have been complaining that some confidential
information has been disclosed via email without any authorisation. You are approached by the
Chief Information Officer (CIO) to discuss the issue and see the most appropriate way to tackle this
problem. You suspect that some of the employees might be using their technical skills to access
sensitive information either from the mail servers or during transmission. To counteract this
malpractice, you suggest to the CIO the implementation of encryption. Before you actually
implement the system, you want to conduct a pilot using the GNU Privacy Guard (GPG) software.
The pilot requires that you install GNU Privacy Guard (GPG) software onto your own computer and
complete the following activities.
Note: The GNU Privacy Guard is available for free download from http://www.gnupg.org/ and "A
Practical Introduction to GNU Privacy Guard in Windows" by Brendan Kidwell is available at
http://www.glump.net/howto/gpg_intro
After installing GPG software onto your own computer, complete the following tasks:
1. Generate your own key-pair by using GPG software and do not create a pass-phrase for your
private key (in a real world this is not a good practice. Just for the sake of this assignment, do not
create a pass-phrase). You must use screen-shots to show that you have successfully completed
this task. A valid screen-shot is similar to the one shown in Figure 1. Pay attention to the red
circles, which demonstrate the success of key pair generation ( 2 marks).
Figure 1 Key Pair Creation
Page 7
COIS23001 – Network Security – Term 2, 2015
Assignment 2
2. Export your public key and paste it into your assignment document. You must use two screen-
shots to show that you have successfully completed this task. One screen-shot is to show the use
of gpg command and the other is to show the exported public key. For example, the screen-shot
in Figure 2, shows a public key, which is exported into the file: CC-pubkey.txt (2 marks).
Figure 2 Screen-shot of a Public Key
Page 8
COIS23001 – Network Security – Term 2, 2015
Assignment 2
3. Explain the how to import the courses public key from the key-server http://pgp.mit.edu (we
have created a public key and stored it at the MIT PGP Public Key Server under the name
COIT20262-T1- 2016). Include in the assignment document the gpg command line, individual
options you used and their meaning. As above, use screenshots of website interactions, with
accompanying explanations of the screenshots to explain the steps involved in importing this
public key from the key-server http://pgp.mit.edu (3 marks).
4. Create an ASCII text file to store your full-name, your student number, and your student CQU
email address (please do not use any other email address). Then using the course public key,
encrypt this text file. The resulting file should also be ASCII armored so that it is readable once
decrypted by your lecturer / tutor. Failure to do so will result in loss of marks. Submit the
resulting encrypted file along with your assignment solutions document (word document) via
the online submission system and following the naming convention given above (3 marks).
An example explaining the steps to export a key
Here is a specific example for explaining the step of exporting a private key, to be imported onto
another computer running GPG. Use this example to guide you in how to give explanations in this
question.
To export your private key, you need to execute the following gpg command:
gpg -- output "privkey.txt" -- export-secret- keys "Xiao Li"
The output option specifies the filename in which to write the private key into. Finally, the export-secret-
keys option specifies the name of the private key to be exported. The name is given as "Xiao Li". This
option is distinct from the "export" option which exports only public keys.
Now the private key is stored in the file "privkey.txt" unencrypted and can be imported into another
version of GPG.
Hints:
Where required be detailed and specific about your actions explaining exactly what you did, and why
you did not. Document the exact GPG commands you have used, and provide an explanation of what
the command does, including the individual command line options, and/or provide screenshots of any
interactions with websites.
Brendan Kidwell's practical guide is not the only one available on the Internet. There are plenty of other
documents on the Internet that explain how to use GPG for various functions.
Marking:
2 Marks for key-pair creation
2 Marks for exporting your public key
3 Marks for explaining the steps how to import the course public key from the key-server
3 Marks for creating an ASCII text file and encrypting it using your lecturer's public key