COMPUTER STUDIES INTERNET & INTRANET SECURITY

University Degree Mathematical and Computer Sciences

ly those are authorized to access resources. (3)

reasonable level of assurance to it users only those are authori

NCC INTERNATIONAL ADVANCED DIPLOMA

COMPUTER STUDIES

INTERNET & INTRANET SECURITY

DECEMBER 2003 EXAM CYCLE

CANDIDATES SHOULD ATTEMPT FOUR QUESTIONS ONLY

Date : 23rd November, 2003

Time Allowed: 3 Hours

MARKING SCHEME

Please attempt any four from question 1 to 6

Clearly cross out surplus answers

ANSWER ANY FOUR QUESTIONS ONLY

QUESTION 1 (25 points)

As a security manager, you need to implement security measures to detect intrusions from LAN. You boss need some understanding of IDS before approving your solution.

a) How many types of IDS are available? Name them all and describe each (8 marks)

Ans: -Host Based IDS (HIDS) – Similar to NIDS but only analyzes network traffic to and from a single machine (1.6)

- Network IDS (NIDS) - Analyzes packets on a network and tries to determine if a hacker is trying to break into a system. An NIDS typically runs on a hub or a router, analyzing all traffic flowing through the device (1.6)

- System Integrity Verifier (SIV) – keeps track of critical system files and notifies an administrator when they are altered. (1.6)

- Log file Monitor (LFM) – Scan through logs generated by network services looking for attacks

Patterns. (1.6)

- Honeypot – A deception system that has false services to attract hacker attention. (1.6)

b) What are the limitations of host based IDS (HIDS)? (8 marks)

Ans: - Traffic overloading can easily crash a HIDS since it is usually installed and running on a platform such as a software OS, (2)

- HIDS cannot examine encrypted network traffic passing through. (2)

- It is specific to types of systems and makes them impractical for many environments. If the server is running multiple services such as DNS, file sharing, SMTP and so on, the host based IDS system might not be able to detect intrusions. (2)

- It runs as a background process and do not have access to the core communication functionality of the system. If an attacker fins a way to the access the OS somehow, IDS could be disabled. (2)

OR SIMILAR (4 items with description needed)

Please describe SYN attack. (5 marks)

Ans: A SYN attack exploits the use of a small buffer space during the TCP three hand shake in order to prevent a server from accepting inbound TCP connection. When a server receives the first SYN=1 packet, it stores this connection request in a small “in-process: queue. Since sessions tend to be established quickly, this queue is small and can store only small number of connection requests. This method is taken for optimizing memory. (2.5)

A SYN attack floods this smaller queue with connection requests. When the target system replies, the attacking system does not respond and leaves the connection request in the smaller queue for time expiration. By filling up this queue with bogus requests, the target system can no longer to accept legitimate requests. A form of Denial of Service. (2,5)

What are the ways to minimize the SYN attack? (4 marks)

Ans: Increase the size of the in process queue which can provide additional space so that additional connection requests can be queued. (2) OR Decrease the amount of time before stale entries are purged from the in process queue. It can prevent busy systems connected by a slow network link from being refused a connection. (2)

QUESTION 2 (25 points)

a) In encryption, what are symmetric and asymmetric keys? How they differ? (6 marks)

Ans: Symmetric key uses the same key to encrypt and decrypt data. However, they are easy to be captured during key exchange between two networked hosts. If any one key is lost to an attacker, the traffic content can be compromised. The major advantage is the comparatively high speed for encryption and decryption of data between (3)

Asymmetric key uses two mathematically different keys to encrypt (Private) and decrypt (Public). During a key exchange, it is harder to capture content of keys and reuse it for decryption since private key will not be exchanged (3)

OR Similar

In PKI, ...

This is a preview of the whole essay

OR Similar

In PKI, what are Public Key and Private or crypto keys? In what situation, it advances over other such as SSH (8 marks)

Ans: In Public-Private Key Infrastructure (PKI), Private key mathematically derives a additional key called public key (2), once a key pair is generated by its owner. However, information cannot be encrypted by public key but by private key. (1.5) The private key is an encryption key for the owner to encrypt data on his/her communication device. He can then distribute his public or a mathematically related key to his intended recipient. (1.5) It can be distributed through some transport mechanism such as floppy. The recipient can use the sender’s public to decrypt data. (2-23 to -24) The major advantage over SSH is that PKI does not require a real time channel be created before data exchange. A file or email can be encrypted in advance by the private key and be sent over unsecured media. (3)

OR SIMILAR in PKI concept.

c) How firewalls differ from proxy? When they are used? (6 marks)

Ans: In a network situation, a proxy divides the network connection between a server and client devices. Proxy receives request from an internal client and forward the request to another host such as a server on behalf of the client by providing its proxy external network address. (1.5)

On the other hand, a firewall also divides traffic between a server and client to examine packets passing through its external and internal interfaces for possible attacks. Firewalls can also create policies or rules to govern what kind of packet types can pass. (1.5)

Proxy can reduce traffic on WAN by caching requested content while reducing the risks of exposing its clients network addresses in order to minimize the attacks. (1.5)

Firewall can be implemented to control unwanted traffic to flow between. It is usually used in a defensive situation on network (1.5)

d) Please describe each item in a short sentence (5 Marks)

i) ICMP - Internet Control Message Protocol provides flow control and route determination in IP protocol. (1)

ii) DNS - Domain Naming Service provide name resolution between a descriptive name (host name) to IP address. E.g. www.abc.com <-> 172.1.1.1 (1)

iii) Port number - A number is used for identifying a network service (1)

vi) ACK flag - In three way handshake communication, a host receives a request and confirms reception to source system by issuing an acknowledgment (ACK flag) (1)

v) UDP - User Datagram Protocol is a transport and connectionless oriented protocol (1)

QUESTION 3 (25 points)

a) Consider the following CGI script,

#!perl

Print “Content-type:text/html\n\n”;

Print<<EndOfHTML;

<html><head><title>Print Environment</title></head>

<body>

……

Why is it lethal to a web server if it is not secured properly? What is a possible solution to correct the problem on the web server? (6)

Ans: In CGI, it can receive form query from the Web client and interact with the backend Webserver. (1) Without the use of the tainting parameter “T” in the script, (2) this PERL script can display configuration parameters from the web server such as OS type, patch level, etc. to an attacker. (2) An attacker knows from such information to acquire appropriate tools to attack the target Web Server and/or its OS platform.

One way to secure it is to disable execute scripts command, set appropriate file/folder level permissions, apply security patch if available (1) OR similar

b) In lab exercise, we have intruded a simulated On-line banking system and viewed the communication sessions. A hacking tool is used for hacking the session during the transaction.

What type of attack is it? How it works? (5)

Ans: Man in the middle (2). A proxy agent captures the traffics from both web server and client. When a client replies with a password on the corresponding bank account, the password is shown in clear text. A hacker then can use the legitimate credential for logging into the bank account. (3)

How can we make the session more secure? List three names. (5)

Ans: Possible solutions including encrypting credentials, Secure Socket Layer, Certificate mapping, PKI, etc. (1.3 each)

How can RAID 0, 1 and 5 on a server provide fault tolerance in hardware emergency? (9)

Ans: Also redundant array of inexpensive disks provides fault tolerance against hard disk crashes.

There are many levels: RAID 0 to 5. (2)

With level 0, it is strictly for performance gains and provides no fault tolerance. RAID 0 stripes the data across multiple hard disks. (2)

RAID 1 maintains a full copy of all files information on every disk and thus is sometimes referred to as disk mirroring. Should a disk fail; each of the remaining disks has a full copy of the entire file system. (2)

RAID 5 has data and ECC storage capability. This arrangement helps to improve speed over RAID 0 with fault tolerance feature. Yet it also suffers from bottlenecks on the parity drive. Compared with RAID 1, it increases disk space in all disk storage minus one disk. (3)

QUESTION 4 (25 points)

How does Kerberos work in authenticating user? (5)

Ans: Kerberos is an authentication method which can be used for single sign-on mechanism and allows mutual authentication and encrypted communication between user and services. (2)

User authenticates to the local OS. A local agent sends an authentication request to the Kerberos server. (1)
The server responds by sending the encrypted credentials for the user attempting to authenticate to the system and local agent then tries to decrypt the credentials using the user supplied password. (1)
If succeed with the password, the user is validated and given authentication ticket for access other Kerberos authenticated services (1)

OR Similar

Given a netmask (subnet mask) 255.255.224.0, please determine if both the IP addresses, 172.16.65.148 and 172.16.97.221, reside on the same sub network? Please show your calculations and justify your answer. (6)

Ans:

The above items, combination receives (1.5), SN receives (1.5) and From and End IP receives (1.5), result in total (6)

The answer is NO (1.5). They are not in the same sub network as shown. IP with 148 as ending is in 64 SN and 221 is in 96 SN. (See bold figures)

Covert bd (hex) to binary digits. Show your work for full marks! (5)

Ans: = (11 x 16^1) + (13 x 16^0) = 176 + 13 = 189 (decimal) (3)

From decimal

= 189 -128 – 32 – 16 – 8 -4 -1 = 0 so, we have 10111101 (2)

Given a packet captured from a sniffer, please answer the following: (9)

4500 002f cc2f 4000 ff06 eeb9 ac1c 0ac1

0a00 0002 0007 0443 1aae 67db 001c 8119

5018 2238 76c6 0000 6865 6c6c 6f0d 0a

What is the IP data?

Ans: 4500 002f cc2f 4000 ff06 eeb9 ac1c 0ac1 (3)

0a00 0002

What is the TCP data ?

Ans: 0007 0443 1aae 67db 001c 8119 (3)

5018 2238 76c6 0000

What is the application data?

Ans: 6865 6c6c 6f0d 0a (3)

QUESTION 5 (25 points)

Write notes for the following terms:

Worms

Ans: A worm is an application which could replicate itself via a permanent or dial-up network connection. Unlike a virus, it seeds itself within the computer’s hard disk or file system, a worm is a self supporting program. A typical worm maintains only a functional copy of itself in active memory. It does not even write it self to disk OR similar (3)

IP Security (IPSEC)

Ans: A set of protocols developed by IETF to support the encryption and authentication of data at the IP layer of the OSI model. It is a key technology in VPN usage. It has many protocol such as AH, ESP, IPcomp and IKE. IPSEC can be used in two modes, transport – encrypting communication between two hosts and tunnel – encapsulating traffic packet into another IP packet as used in VPN

OR similar (3)

Hardware Firewalls

Ans: Also known as appliance firewalls, they are intended be used without much setup and configuration works before providing firewall services. OR similar (3)

Software Bugs

Ans: When an application or system consists of many lines of codes, there may be some logical errors expected to find. Some bugs can impose security impacts and are required to fix by “patching”, a rewrite of subset of program to correct the codes. OR similar (3)

Authentication

Ans: The act of proving you are who you say you are. There are a number of methods to prove. One example is by providing password and username in dialog box by computer. OR similar (3)

Strong/complex Password (3)

Ans: A password combination has at least eight characters and numbers. It can increase the complexity to an attacker to conduct brut force attack.

UPS (3)

Ans: It is Also called “Uninterruptible Power Supply” and a backup battery for computer equipment.

IP Spoofing (4)

Ans: A widely used method is used by an attacker. An attacker uses a “fake” IP such as pretended internal IP to conceal their identity. (3) It can pass through a firewall if it scans policies based on IP only. (1)

QUESTION 6 (25 points)

Please explain the requirements for a secure network (9 marks)

Ans: Privacy – it should offer a reasonable level of assurance to it users only those are authorized to access resources. (3)

cy – it should offer a reasonable level of assurance to it users only those are authorized to access resources. (3)

– it should offer a reasonable level of assurance to it users only those are authorized to access resources. (3)

it should offer a reasonable level of assurance to it users only those are authorized to access resources. (3)

t should offer a reasonable level of assurance to it users only those are authorized to access resources. (3)

should offer a reasonable level of assurance to it users only those are authorized to access resources. (3)

hould offer a reasonable level of assurance to it users only those are authorized to access resources. (3)

ould offer a reasonable level of assurance to it users only those are authorized to access resources. (3)

uld offer a reasonable level of assurance to it users only those are authorized to access resources. (3)

ld offer a reasonable level of assurance to it users only those are authorized to access resources. (3)

d offer a reasonable level of assurance to it users only those are authorized to access resources. (3)

offer a reasonable level of assurance to it users only those are authorized to access resources. (3)

ffer a reasonable level of assurance to it users only those are authorized to access resources. (3)

fer a reasonable level of assurance to it users only those are authorized to access resources. (3)

er a reasonable level of assurance to it users only those are authorized to access resources. (3)

r a reasonable level of assurance to it users only those are authorized to access resources. (3)

a reasonable level of assurance to it users only those are authorized to access resources. (3)

a reasonable l

nable level of assurance to it users only those are authorized to access resources. (3)

sonable level of assurance to it users only those are authorized to access resources

COMPUTER STUDIES INTERNET & INTRANET SECURITY

This is a preview of the whole essay

Document Details

Related Essays

Internet & Intranet Security

NCC International Advanced Diploma in Computer Studies

Internet security is one of the important factors that have to be known in...

Security Policies And Procedures