ASSIGNMNENT
For every answer, provide a complete rationale with examples
using in-text citations from reference material used during the course as well
as from other materials you researched on your own.
There are 8 questions, with maximum point values included
with each question. Your answers should be complete and supported by graphs,
charts, and table summaries. Each answer should have about 800 words (about 2
pages) excluding diagrams, illustrations, references or other materials.
Points will be awarded or deducted based upon:
? The answer
displays a sound understanding of the subject matter and course material
? Citations used
in the answer corresponds to the topic
? The explanation
conveys sound and thorough understanding of the topic
? The answer
reflects originality and critical thinking
? The answer is
supported using in-text citations in APA 6th Edition format
? The submission
includes APA 6th Edition compliant comprehensive references at the end of the
exam, which provides the complete reference for all in-text citations used.
Partial credit will be given as appropriate. Do not leave
any responses blank. Some questions have no right or wrong answers and require
you to argue convincingly for your position.
If you encounter a question where you do not know the answer, make a
logical guess.
1. [Part A 8 points,
Part B 8 points, 16 points total, TCP/IP]
Part A. Unlike IP fragmentation (which can be done by
intermediate devices), IP reassembly can be done only at the final destination.
What problems do you see if IP reassembly is attempted in intermediate devices
such as routers? [8 points]
Answer:
Part B. Let’s assume that Host A (receiver) receives a TCP
segment from Host B (sender) with an out-of-order sequence number that is
higher than expected as shown in the diagram. Then, what do Host A (receiver)
and host B (sender) do? [8 points]
Answer:
2. [8 points total] Describe or propose a way to detect ARP
spoofing attack. What could be a possible weakness in your proposed method?
Please do not discuss any prevention method (e.g., port security is an example
of a prevention method).
Answer:
3. [8 points total, Wireless LAN Security-WEP] What is the
main difference between the FMS attack and Chopchop attack?
Answer:
4. [10 points total]A large enterprise decides to use
symmetric encryption to protect routing update messages between its own routers
(i.e. entire routing update messages are encrypted by a strong shared symmetric
key). They think this will prevent routing table modification attacks. Do you
think their decision is appropriate? Do you see any problems or issues with
their decision?
Answer:
5. [15 points total] An ACK scan does not provide
information about whether a target machine’s ports are open or closed, but
rather whether or not access to those ports is being blocked by a firewall. If
there is no response or an ICMP “destination unreachable” packet is received as
a response, then the port is blocked by a firewall. If the scanned port replies
with a RST packet, that means the ACK packet reached its intended host. So the
target port is not being filtered by a firewall. Note, however, even though
ICMP went through, the port itself may be open or closed.
Describe at least 2 rules that could be used by Snort to
detect an ACK scan. Clearly express your assumptions and explain your rules. Do
you think Bro can do a better job of detecting an ACK scan?
Answer:
6. [10 points total] Explain the main difference between SQL
injection and XSS attacks.
Answer:
7. [Part A 15 points,
Part B 9 points, 24 points total] As shown in the above diagram, Kevin, the
system admin, installed a text-message sender and a text-message receiver in a
Multi-Level-Secure (MLS) environment. In the MLS environment, two security
levels exist (i.e., Unclassified (Low) and Classified (High) levels). His goal
is to enforce the Bell-LaPadula (BLP) access control model in the network.
Essentially, the BLP model defines two mandatory access control rules:
? No Read Up
Rule: a subject (Low) at a lower security level must not read an object (High)
at a higher security level. Simply, a Low entity cannot have read-access to a
High object.
? No Write Down
Rule: a subject (High) at a higher security level must not write to any object
(Low) at a lower security level. Simply, a High entity cannot have a
write-access to a Low object.
In this scenario, enforcing the BLP model means no
confidential information flows from Classified LAN (High) to Unclassified LAN
(Low). However, information can still flow from Unclassified LAN to Classified
LAN.
To achieve his goal, he configured both text message sender
and receiver as follows:
? The text
message sender is configured to send a text message to the text message
receiver via TCP/IP protocol.
? The text
message receiver is configured to receive a simple text message from the sender
via TCP/IP protocol.
? The following
IP/port is given to each machine:
o Text message
sender: 192.168.2.2 and port 9898 is open
o Text message
receiver: 192.168.3.3 and port 9999 is open
o A text
message is allowed to be sent only from port 9898 of 192.168.2.2 (sender) host
to port 9999 of 192.168.3.3 (receiver) host.
Part A) As you can see from the diagram above, the text
message sender and receiver have been compromised by the adversary and the
Trojan, respectively. However, the router with Snort IDS installed
(router/snort) is securely protected and can be fully trusted.
Write efficient Snort rules and access control lists which
will be implemented on the router/snort to detect or block confidential
information leakage from High to Low. Write your rationale for writing your
rules and access control lists. For
example, if the text message receiver (Trojan at High LAN) attempts to send a
text message (confidential information) to the text message sender (the
adversary at Low LAN), the attempt will be either blocked by your access
control list(s) or detected by your snort rule(s).
Write at least 3 Snort rules and at least 2 access control
lists (ACLs). Please note that each rule
and ACL must have a complete a detailed rationale. If possible, you must submit screen pictures
of the output of the Snort compilation to confirm that your Snort rules are
written correctly using the Lab #2 software. [15 points]
Hint: Access control lists are discussed in Module 10 and
snort rules are covered in Module 7 as well as Lab2. To see more snort options, please refer to
chapter 3 of Snort User Manual 2.9.1 by the Snort Project (link:
http://www.snort.org/assets/166/snort_manual.pdf)
Answer:
Part B) Describe a way for the Trojan to covertly transmit 4
characters (e.g., A, B, C and D) to the adversary without being detected or
blocked by your rules and access control lists provided in Part A. [8 points]
Answer:
8. [9 points total, IPsec VPN] What do you think are the
advantages & disadvantages of using both AH and ESP protocols on the same
end to end IPsec connection (transport mode)? In addition, it is recommended
that the ESP protocol should be performed before the AH protocol. Why is this
approach recommended rather than authentication (AH) before encryption (ESP)?
Answer:
