Review Final Exam 12/10/2015 Thursday 5:30~6:30pm Science S-3-028 IT443 Network Security Administration Instructor: Bo Sheng True/false Multiple choices Descriptive questions 1 2 Network Layers Application layer Transport layer IP layer Data link layer TCP, UDP, IP, SSH, HTTP IP address, MAC address, TCP address? Port number Headers [ether net header [IP header [TCP header [Payload]]]] TCP / UDP TCP is reliable Acknowledgement, retransmission, discard duplicates, TCP 3-way handshake SYN, ACK, FIN 3 4 IP layer Routing (different paths) IP prefix, e.g., 12.34.158.0/24 Classful Addressing (Class A, B, C) Classless Inter-Domain Routing (CIDR) Private networks 10.0.0.0/8 (255.0.0.0) 172.16.0.0/12 (255.240.0.0) 192.168.0.0/16 (255.255.0.0) DNS Hierarchical name space Local DNS server / caching dig / dig -x Data link layer MAC address ARP messages / ARP table 5 6 1
true/false 192.168.x.x is not globally accessible. multiple choice Which of the following header may not contain destination s information: A. TCP header B. IP header C. Ethernet header D. All of above Encryption/Decryption Plaintext, ciphertext, key Secret key/symmetric key crypto Public key/asymmetric key crypto Hash function Compare TCP and UDP, and briefly describe their difference. 7 8 Secret key crypto Stream cipher (XOR) Block cipher (with padding) File size Public key crypto Public/private key pair Encryption/decryption (different keys) Sign/verify (digital signature) Much slower than secret key operations 9 10 Hash function One way transformation Collision resistance Applications Message digest/checksum File integrity Password In secret key encryption, the encrypted file s size may be smaller than the original file s. Which of the following gives the desired properties of hash functions? a. One-way property, that is, it s easy to reverse the hash computation, but computationally infeasible to compute the hash function itself. b. Collision free, that is, it s computationally infeasible to find two messages that have the same hash value. c. Only authorized parties can perform hash functions. 11 12 2
What s authentication User authentication Allow a user to prove his/her identity to another entity (e.g., a system, a device). Message authentication Verify that a message has not been altered without proper authorization. Threat Eavesdropping Password guessing Server database reading (compromised) 13 14 Challenge/response I m a challenge R H(K -, R) I m R Sig {R} Key Distribution Center If node A wants to communicate with node B A sends a request to the KDC The KDC securely sends to A: E KA (R AB ) and E KB (R AB, A) Certificate How do you know the public key of a node? Certification Authorities (CA) Everybody needs to know the CA public key The CA generates certificates: Signed(A, public-key, validity information) [ s public key is 876234] carol [Carol s public key is 676554] Ted & [ s public key is 876234] carol 15 16 Password guessing Online vs. offline Dictionary attack Password salt Assume and share a secret K -, what is the security flaw when they use the following protocol for to authenticate? I m, H(K - ) 17 18 3
IPsec Which layer Why we need it IP spoofing Payload modification Eavesdropping Two protocols / two modes Transport mode Host-to-host IPsec Tunnel mode Gateway-to-gateway IP header is encrypted 19 20 SSL Which layer Why we need it Think about https Main processes Negotiate cipher suites Authenticate servers Verify certificates IPsec / SSL Applying IPsec and SSL on the same data packet is redundant. Compare IPsec and SSL, and briefly describe their differences. 21 22 What are their roles Prevent vs. detect Firewall / IDS Firewall Packet filtering (stateless) vs. session filtering (stateful) iptables Firewall / IDS IDS Accuracy, e.g., false alarm TPR, FPR, TNR, FNR Misuse detection (signatures) Anomaly detection Host-based (e.g., aide) Network-based (e.g., snort) 23 24 4
Firewall IDS A stateless firewall on a server cannot limit the number of TCP connections per client. Explain the following snort rule and describe how to trigger the alert: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg: Test attack"; content:"test_attack"; ) Describe the goal of the following firewall rule: iptables -A INPUT -p icmp -j DROP Compare host-based and network-based IDS, and briefly describe the difference. 25 26 Final Grade 27 5