Need this or a similar Assignment

Whatsapp/Call: +91-9502220077

COIT20262 – Advanced Network Security, Term 2, 2016
Assignment 2
Due date: 5pm Friday 7th October 2016 (Week 12) ASSESSMENT
Weighting: 50%

Length: N/A 2
Note: Attempt all questions

Assignment Submission
Your assignment must be in Microsoft Word format, and must be submitted electronically by
the due date via the Moodle website

Question 1 – Cryptographic Operations with GPG [10 marks]
Objective: gain experience with using software to perform common cryptographic
There are many different software (and hardware) implementations of cryptographic
operations. GNU Privacy Guard (GPG) is one such piece of software, which focusses on a
simple, open source implementation of common public key operations (but also includes
symmetric key encryption). In this task you must use GPG to perform some common
operations to communicate securely with the course coordinator.
GPG is available for most operating systems. You will need to install it on your computer to
complete this task.

Chapter 1 of the GNU Privacy Handbook provides examples of using most of the commands
needed for this task. Others may be found in the ‘man’ or help page for the command once
Scenario: you want to send a message to the course coordinator.
You will do that by submitting a file on Moodle. But you want the communications to be
secure (you don’t even trust other staff that can also access Moodle submissions). You will
use symmetric key cryptography to encrypt the message. But the problem with symmetric
key cryptography is that a shared secret key must be exchanged somehow. A common
solution is to encrypt the shared secret key using public key cryptography. So in fact you will
send two pieces of information to the course coordinator (although in one file): a message
and the shared secret key. The course coordinator wants to be sure the message they receive
came from you, therefore you will also sign the message. This assumes you know the course
coordinators public key, which is available on Moodle.
In the following instructions when you see id in a filename, replace it with your student ID.
For example, if your student ID is s123456, then the message file will be called s123456-
message.txt. Similarly, replace the example names, IDs, emails with yours.

a) Create the message by putting the following inside a text file named id-

Name: <include your name here>
ID: <include your ID here>
Email: <include your email here>
<Write one or more paragraphs that explain which software used
in the assignments is the hardest to use, and why. This is not
assessed but is useful feedback.>

b) Create a shared secret key by generating a 12 byte random value encoded as base64.
Put the 16 character base64 value in a file called id-sharedsecret.txt. Hint: use
gpg to generate the random bytes, and include the --armor option to encode as
c) Generate your own RSA 2048-bit key pair. Include your name and CQU email
address when prompted. For simplicity in this assignment, do not use a passphrase on
your key (if you do, make sure you remember it).
d) Export your public key and save it to a text file called id-publickey.txt. Use the
--armor option to generate a text based public key.
e) Create a detached signature of the message, saving that signature as id-message.sig.
f) Combine the message (id-message.txt) and signature (id-message.sig) into a
single file called using ZIP. Do not include any directories
or other files in the ZIP file – it should contain just two files.
g) Use AES128 to encrypt the zip file. When prompted for a passphrase, use the 16
character shared secret generated earlier. The output file is called id-
h) Use RSA to encrypt the shared secret. The output file is called id-
i) “Send” the two encrypted files to the course coordinator by submitting on Moodle.
Also “publish” your public key by submitting on Moodle.
In your assignment for this question include the list of GPG commands you used in each step
above, and with each command, a short explanation of what it does (including what the
options do). If a step did not use a GPG command, then just explain what you did in that step.
Marking Scheme
Once files are submitted, they will be decrypted/verified using the reverse operations of what
you were expected to do. If your files successfully decrypt/verify, and the obtained plaintext
files are in the correct format, you will receive 7 marks. If the commands are listed and
explained correctly in your assignment submission then you will receive an additional 3
marks. If the explanations are incorrect or do not explain options, then you will be deducted 1
to 3 marks (e.g. receive 7, 8 or 9 out of 10 in total).
If your files do NOT successfully decrypt/verify, then your list and explanation of the
commands will be reviewed to determine what mistakes you made. For each mistake you will
be deducted 3 marks. For example, if you make one mistake but all your other commands and
explanations are correct, then you will receive 7 out of 10. Two mistakes will receive 4 out of
10, and so on. Additional marks may be deducted (up to 3) if your explanations are incorrect
or do not explain options.
Question 2 – Secure Web Browsing with HTTPS [16 marks]
Objective: understand basics of HTTPS protocol operation, format of digital certificates, and
role of different ciphers in Internet communications.
For secure web browsing HTTPS is used. HTTPS is essentially HTTP on top of Secure
Sockets Layer (SSL). However over time SSL has been upgraded to various versions, and
renamed to Transport Layer Security (TLS). TLS1.0 was very similar to SSL3. TLS1.1 saw
significant changes and separation from SSL3. Now TLS1.2 is recommended for use, and
SSL3 and earlier no longer considered secure. Despite the differences, you will often see SSL
and TLS used interchangeably. In the following we will refer to SSL, but be aware it means
TLS in many cases.
How does SSL work? Your task is to find out. As a starting point, SSL uses a Record protocol
to deliver different SSL messages between client and server. At the start of a SSL connection
a Handshake Protocol is used. After the handshake is finished, encrypted application data is
sent. After the data is sent, an encrypted Alert message may be sent to notify the close of the
SSL connection. One or more HTTP exchanges may be performed in a single SSL
The file a02-assignment-2-question-2-capture.pcap includes packets for several
HTTPS exchanges from a single web browser to a single website.
a) [4 marks] Draw a message sequence diagram that illustrates the SSL packets
belonging to the first TCP connection in the file. Refer to the instructions in
assignment 1 for drawing a message sequence diagram, as well as these additional
- Only draw the SSL packets; do not draw the 3-way handshake, TCP ACKs or
connection close. Hint: identify which packets belong to the first TCP
connection and then filter with “ssl” in Wireshark. Depending on your
Wireshark version, the protocol may show as “TLSv1.2”.
- A single TCP packet may contain one or more SSL messages (in Wireshark
look inside the packet for each “Record La3yer” entry to find the SSL message
names). Make sure you draw each SSL message. If a TCP packet contains
multiple SSL messages, then draw multiple arrows, one for each SSL message,
and clearly label each with SSL message name.
- Clearly mark which packets/messages are encrypted.

b) [5 marks] Considering the first TCP connection only, answer the following questions.
You must explain the reason for your answer by referring to specific parts of the
capture. For example, “The answer is X as field Y in packet number Z shows that …”.
i. What is the domain of the website that the web browser visited?
ii. What symmetric key cipher was used for encrypting the data?
iii. What public key cipher was used for exchanging a secret?
iv. What cipher and what hash algorithm are used in signing the web servers
v. How many HTTP requests do you think were exchanged in the first SSL
connection? Why?

c) [3 marks] The user of the web browser typed in a URL containing some domain
(answer in question (b) i.). Explain how the web browser knows it is communicating
with the server of that domain (and it is not a server pretending to be for that domain).
Refer to the specific messages/fields in the capture and the names of the

d) [2 marks] If you were using your browser to visit the same webpages as in the capture
(assuming it is a real website and you have access to it), do you think your web
browser would present any warnings or errors? Explain your answer.

e) [2 marks] In the second and third TCP connections in the capture, the web browser is
continuing to access webpages on the same website, but notice the SSL connection
handshake has fewer SSL messages than the first TCP/SSL connection. Explain the
tradeoffs of doing this (i.e. the advantage and disadvantage of the shortened
subsequent handshakes) and how it is achieved (refer to fields in the captured

Marking Scheme
a) The diagram must have all packets clearly labelled to obtain full marks. Missed
messages, incorrect messages or unclear diagram will result in loss of marks.
b) 1 mark for each sub-question that has correct answer and reasoning with reference to
captured packets.
c) Full marks if the method is clearly described with references to fields and messages in
the capture. Minor misunderstandings will receive 2 marks. Poor description and/or
incorrect method will receive 0 or 1 mark.
d) Description and explanation must demonstrate good understanding of issue to receive
full marks.
e) Full marks if at least one advantage, at least one disadvantage, and explanation of how
the shortened handshake is achieved is correct.
Question 3 – Securing a Small Network [9 marks]
Objective: be aware of security features available in WiFi networks, how to deal with threats,
as well as password management.
Scenario: After graduation, you and 10 of your classmates have formed a startup to
commercialise an idea based on your expertise gained from your degree. You have rented a
large house where everyone will work together, trying to rapidly turn the idea into a proof-of-
concept and eventually marketable product. You are confident in your idea and plan, and
expect if you can quickly get to market, your product will be worth millions of dollars, and
may result in a buyout from the likes of Google, Facebook, etc.
You expect to have 10 to 15 others work with you, either temporarily or full-time, over the
next few months. The house you are using as an office will also have regular visitors: friends
and family, advisors, potential clients and funders, … .
Your network contains several servers and desktops, but primarily everyone works with their
own laptop, tablet and phone (they are personal devices of many different types and using
different operating systems), and use cloud computing for many non-critical services (email,
messaging, non-confidential file storage). The key Intellectual Property is in the form of files
(e.g. designs, code, graphics) and is stored on internal servers. The house has two Internet
connections: NBN as well as an ADSL2 line. Although there is a wired Ethernet network
connecting the desktops and servers, most users will use WiFi.
Despite your big plans, you have little income, and cannot afford people dedicated to network
administration. Therefore you have been assigned the initial task of setting up the WiFi
network, as well as producing a set of recommendations for securing the network. You
already have 6 consumer-grades Wi-Fi routers (e.g. TP-Link Archer C series) installed across
the house. They provide coverage for most of the area, but there are some dead-zones outside
and in some rooms. You don’t have the budget or time to deploy dedicated authentication
servers: you want to setup the Wi-Fi routers, and then spend little or no time administering
them over the coming months.
Consider the security of the Wi-Fi network. You want to set it up so startup members can use
the network, but also provide access to visitors and temporary workers. Although you are a
small, new startup, your Intellectual Property is potentially very valuable, so different attacks
on your network are likely.
a) [3 marks] Explain what technologies/settings you will use in securing the WiFi
network. Refer to specific technologies/settings and explain why you would use
them. For example, “On every WiFi router enable feature X. The reason for doing
this is …”. As an example of the features available on WiFi routers, see the emulation
website for TP-Link devices:

Despite the members of the startup having little time to worry about network security, they all
realise that with the value of their Intellectual Property, network security is important.
Therefore they will listen to and follow any recommendations you make in using the internal
b) [3 marks] Provide a list of recommendations for the startup members in using the
internal network. The recommendations are things the users should or should not do
to ensure the internal network is secure. For each recommendation give a concise
description, explain the reason for the recommendation, and explain any potential
disadvantages or weaknesses of following the recommendation. For example,
“Recommendation 1: Never do X. The reason is because of Y. The drawback of this is
that you won’t be able to do Z.” (This is just a short example; the recommendations
may be longer, more detailed).

Now consider the external networks, and especially how the startup members use many
different cloud services (e.g. Google Docs, Facebook, Twitter, Slack, AWS, …). Each
member may have accounts on many different services, and may want to login to those
accounts from their own devices (laptop, tablet and phone), as well as other devices (e.g.
shared desktops, temporarily using someone else’s laptop).
c) [3 marks] Provide a list of recommendations for the startup members in managing
(including creating) their passwords and authentication information. For each
recommendation give a concise description, explain the reason for the
recommendation, and explain any potential disadvantages or weaknesses of
following the recommendation.

Marking Scheme
For sub-questions a), b) and c) marks will be allocated based on the completeness, accuracy
and clarity of your answer.
 An answer is considered complete if you have listed the main possible answers
(technologies, settings, recommendations). You do not have to list all possible
answers to be considered complete, but should have most of the relevant answers.
There is not fixed number of technologies, settings or recommendations to be
considered complete.
 An answer is considered accurate if it is correct and/or appropriate. The
explanation/reasoning you provide in your answer is an important part to convincing
the marker it is correct/appropriate.
 An answer is considered clear if it can be easily read and understood by a marker with
similar knowledge to other good students. The explanations are detailed and use
terminology appropriate for the course.

Overall, the answers must demonstrate a good understanding of the important issues that arise
from the question.
Question 4 – Intrusion Detection with Snort [9 marks]
Objective: gain experience with using Snort and with identifying/analysing packet traces
You are the administrator for a network that has users exchanging files using various
approved server applications (HTTP and SSH). You have discovered that image editing
software used in the organisation has a bug such that JPEG image files may trigger malicious
behaviour when opened. As one method to minimise the impact of the bug, you have
configured the servers to monitor any JPEG files transferred. However you believe some
users are exchanging images using other, unapproved, applications. Therefore your task is to
identify in real-time which and when users are exchanging JPEG files using unapproved
applications. You will use Snort to alert you of such exchanges.
Your task: write Snort rules that alert you of the start of an exchange of a JPEG file that does
not involve HTTP or SSH. The rules should be clearly commented. The file a02-
assignment-2-question-4-capture.pcap is a trace of the packets exchanged in the
network. Use it as an input to Snort to complete this task.
Requirements and Hints:
 The computers and ports of the approved HTTP and SSH servers may vary.
Therefore, as they may change over time, you CANNOT use IP addresses or port
numbers to alert you to an unapproved exchange.
 Other file formats exchanged using unapproved applications (non-HTTP, non-SSH)
are not of interest to you. You only want to be alerted about JPEG files.
 The file a02-assignment-2-question-4-capture.pcap was obtained on a non-
standard system that resulted in some erroneous packet checksums. Therefore you
MUST use the “-k none” option with Snort to disable all checksum checks.
 Print the following message when an unapproved JPEG exchange is initiated:
Exchange of JPEG file using unapproved application

 As a hint, there are 5 unapproved JPEG exchanges.
Answer the following sub-questions:
a) [5 marks] Submit your Snort rules as a single file called id-snort.conf (replace id
with your student ID). Make sure the rules are clearly explained via the comments in
the file. Your file will be tested with the following Snort command:
snort –k none –c id-snort.conf –r a02-assignment-2-question-4-capture.pcap

The alert file produced should contain 5 messages, and the log file produced should
contained 5 packets.

b) [2 marks] Explain one method that a malicious user could use to avoid detection by
your rules.
c) [2 marks] For the 5 alerts, find the actual JPEG images that were exchanged. Hint:
you don’t have to use Snort to get this answer. You may use Wireshark or other
software, however the answer must come only from the capture file provided. For
your answer, include the 5 images in your assignment report (do NOT submit the
JPEG files on Moodle; just embed them in your report) and explain how you obtained

Marking Scheme
a) To obtain 5 marks your Snort rules most return the correct 5 packets using correct
conditions (e.g. not using IP addresses, but using conditions that would work for other
traces) and have comments that explain the rules. No or poor comments, but correct
rules, will result in a score of 2 to 4 marks. Incorrect rules (using the wrong
conditions, not matching the correct packets) will result in a score of 0 to 3.
b) The method must be realistic within the context of the scenario and well explained to
obtain 2 marks.
c) If all 5 images are included in the report and the method is appropriate you will obtain
2 marks. Including the images with no or poor explanation will result in 0 or 1 mark
(depending on part a) answer).
Question 5 – Firewall Rules [6 marks]
Objective: understand firewall rules and the importance of consistency and ordering.
Consider a firewall configured with the following rules:
Rul Transport Source Sourc Destination Destination Actio
e e n
Protocol IP IP Port
No. Port
1 UDP any 53 allow
2 TCP any 129.174.17/180 22 allow
3 TCP 4500 129.174.17/180 22 deny
4 TCP 443 129.174.17/180 6000 allow
5 TCP any 129.174.17/180 6000 deny
6 UDP any 129.174.17/180 32768 deny
7 TCP any 129.174.17/180 32769 deny
8 TCP any 129.174.17/180 32768 deny
9 TCP any 129.174.17/180 80 allow
10 UDP 1025 65535 allow
11 UDP 1025 65535 allow
12 UDP 1025 65535 allow
13 any any any allow
14 TCP any any deny
15 UDP any any deny
16 TCP any 6000:6010 deny
17 TCP any 0:1024 deny
18 any any any deny

a) [3 marks] Describe the meaning of a rule conflict. Identify all conflicting rules in the
above table.

b) [3 marks] Identify any redundancies in the table, and for each, explain which rule
would be applied if using each of the following 3 matching strategies: first, best, last.
For example, if you identify a redundancy, then state which rule would be applied if
first matching was used, then state which rule would be applied if best matching was
used, and then for last matching. Repeat for other redundancies.
Marking Scheme
Both sub-questions require you to identify all possible correct answers (i.e. all conflicts, all
redundancies), and in b) give appropriate explanations to obtain full marks. Missing correct
answers and/or poor explanations will see marks deducted.