True False questions (25 points + 5 points extra credit)



Similar documents
Client Server Registration Protocol

Chapter 8 Security Pt 2

CSCI 454/554 Computer and Network Security. Final Exam Review

12/8/2015. Review. Final Exam. Network Basics. Network Basics. Network Basics. Network Basics. 12/10/2015 Thursday 5:30~6:30pm Science S-3-028

Network Security Fundamentals

APNIC elearning: Network Security Fundamentals. 20 March :30 pm Brisbane Time (GMT+10)

Description: Objective: Attending students will learn:

CS5008: Internet Computing

Chapter 10. Network Security

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

DNS security: poisoning, attacks and mitigation

Internet Firewall CSIS Internet Firewall. Spring 2012 CSIS net13 1. Firewalls. Stateless Packet Filtering

Network Security [2] Plain text Encryption algorithm Public and private key pair Cipher text Decryption algorithm. See next slide

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

Key Management. CSC 490 Special Topics Computer and Network Security. Dr. Xiao Qin. Auburn University

APNIC elearning: IPSec Basics. Contact: esec03_v1.0

IPsec Details 1 / 43. IPsec Details

Name: 1. CSE331: Introduction to Networks and Security Fall 2003 Dec. 12, /14 2 /16 3 /16 4 /10 5 /14 6 /5 7 /5 8 /20 9 /35.

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

Chapter 8 Network Security

Authentication Types. Password-based Authentication. Off-Line Password Guessing

Solution of Exercise Sheet 5

JK0 015 CompTIA E2C Security+ (2008 Edition) Exam

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

Intro to Firewalls. Summary

Secure Sockets Layer (SSL ) / Transport Layer Security (TLS) Network Security Products S31213

Introduction to Computer Security

2.4: Authentication Authentication types Authentication schemes: RSA, Lamport s Hash Mutual Authentication Session Keys Trusted Intermediaries

CNT4406/5412 Network Security Introduction

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

Firewalls, Tunnels, and Network Intrusion Detection

SY system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users.

Content Teaching Academy at James Madison University

Overview. Securing TCP/IP. Introduction to TCP/IP (cont d) Introduction to TCP/IP

A Brief Overview of VoIP Security. By John McCarron. Voice of Internet Protocol is the next generation telecommunications method.

Introduction to Computer Security

INTRODUCTION TO FIREWALL SECURITY

Final exam review, Fall 2005 FSU (CIS-5357) Network Security

Protocol Rollback and Network Security

VoIP Security. Seminar: Cryptography and Security Michael Muncan

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls

Computer security Lecture 9

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

CS 161 Computer Security Spring 2010 Paxson/Wagner MT2

COSC4377. Chapter 8 roadmap

Transport Level Security

SonicOS 5.9 / / 6.2 Log Events Reference Guide with Enhanced Logging

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

Cryptography and Network Security

OLD VULNERABILITIES IN NEW PROTOCOLS? HEADACHES ABOUT IPV6 FRAGMENTS

Chapter 8. Network Security

Fig : Packet Filtering

Midterm 2 exam solutions. Please do not read or discuss these solutions in the exam room while others are still taking the exam.

Security: Focus of Control. Authentication

Dr. Arjan Durresi. Baton Rouge, LA These slides are available at:

Chapter 7 Transport-Level Security

Security in IPv6. Basic Security Requirements and Techniques. Confidentiality. Integrity

Application Security: Threats and Architecture

CSE 127: Computer Security. Network Security. Kirill Levchenko

Stateful Firewalls. Hank and Foo

Session Hijacking Exploiting TCP, UDP and HTTP Sessions

Chapter 32 Internet Security

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

VIDEO Intypedia013en LESSON 13: DNS SECURITY. AUTHOR: Javier Osuna García-Malo de Molina. GMV Head of Security and Process Consulting Division

Authenticity of Public Keys

DNS Cache-Poisoning: New Vulnerabilities and Implications, or: DNSSEC, the time has come!

8. Firewall Design & Implementation

Bit Chat: A Peer-to-Peer Instant Messenger

Steelcape Product Overview and Functional Description

TLS and SRTP for Skype Connect. Technical Datasheet

CS Final Exam

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

Secure Sockets Layer

INTERNET SECURITY: FIREWALLS AND BEYOND. Mehernosh H. Amroli

A Very Incomplete Diagram of Network Attacks

CS 3251: Computer Networking 1 Security Protocols I

Högskolan i Halmstad Sektionen för Informationsvetenskap, Data- Och Elektroteknik (IDÉ) Ola Lundh. Name (in block letters) :

CS 356 Lecture 27 Internet Security Protocols. Spring 2013

Soran University Faculty of Science and Engineering Computer Science Department Information Security Module Specification

How To Protect Your Data From Attack

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Lab Exercise SSL/TLS. Objective. Step 1: Open a Trace. Step 2: Inspect the Trace

CSCI 4250/6250 Fall 2015 Computer and Networks Security

Chapter 8 Security. IC322 Fall Computer Networking: A Top Down Approach. 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012

Computer Networks: DNS a2acks CS 1951e - Computer Systems Security: Principles and Prac>ce. Domain Name System

Midterm. Name: Andrew user id:

Chapter 16: Authentication in Distributed System

Topics in Network Security

Firewalls. Ola Flygt Växjö University, Sweden Firewall Design Principles


Security vulnerabilities in the Internet and possible solutions

Chapter 8. Cryptography Symmetric-Key Algorithms. Digital Signatures Management of Public Keys Communication Security Authentication Protocols

NETWORK ADMINISTRATION AND SECURITY

Network Access Security. Lesson 10

Internet Security Firewalls

Chapter 9 Firewalls and Intrusion Prevention Systems

NETWORK SECURITY (W/LAB) Course Syllabus

Transcription:

Student Name: ISA 656: Network Security Midterm Examination GENERAL INSTRUCTIONS The midterm is worth 110 points (including 10 extra credit points): 25 points of True/False and 75 points of short answer. You have two ½ hours for the entire exam plan accordingly. The questions are in no particular order of difficulty. Move on to easier ones if you find yourself stuck. You may answer questions in any order as long as they are clearly labeled. This exam is open book and notes, you may use your computer and the Internet ONLY to access the electronic version of the text book and lecture slides, along with typing up your answers to the questions. You can submit a PDF version of your answers to blackboard or submit a hard copy of your answers. True False questions (25 points + 5 points extra credit) Circle only one of the choices (5 points each). True False Adding Salt to hashed passwords increases the difficulty of online dictionary attacks. Adding salt helps with offline dictionary attacks, but not with online dictionary attacks. True False DNSSEC A records can be used to increase the effectiveness of DNS amplification attacks. DNSSEC A records can be an order of magnitude larger than unsigned A records. True False Implementing an authentication system that uses two different passwords would satisfy a requirement of two-factor authentication. Two-factor authentication is when two different types of authentication, such as what you know and what you have, are required to authenticate. True False RSA provides forward secrecy

RSA does not provide forward secrecy, but DH does provide this property. True False If the key is truly random, as long as the plaintext, and never re-used, the one-time pad provides perfect message secrecy. If these rules are followed one-time pads provide perfect message secrecy. However, in practice it is difficult to follow these rules. True False PGP provides secrecy of the SMTP headers in an email message. SMTP headers are mutable and change while processing messages, so PGP does not provide secrecy for these headers. Short Answer (75 points + 5 points extra credit) 1) Intrusion Detection Systems (20 points) a) Give one advantage and disadvantage of a stateless packet-based IDS, one advantage and disadvantage of a stateful session-based IDS. (10 points) Stateless IDS: Advantages, low memory overhead, quickly identify potentially malicious packets. Disadvantages, Can split attacks across packets to avoid detection. Stateful IDS: Advantages, can detect attacks that span packets. Disadvantages, higher overhead from reassembling fragmented messages. b) A problem IDS s face is that based on their placement their view of a packet is different from what the hosts perceives. For example, a packet with a low TTL may pass by the IDS but never reach the host, or if two overlapping TCP segments with inconsistent data pass the IDS, it doesn't know which data the host will use. Give two ways an IDS can deal with these sorts of ambiguities. List one advantage and one disadvantage for each of your solutions. (10 points) 1) The IDS could modify the TTL value to ensure that all packets reach the end host. Advantage, This would mitigate attacks aimed at evading the IDS system. Disadvantage, it might break tools designed to map out networks be sending small TTL values expecting packets to be dropped. It would also break other protocols that rely on the end-to-end principle. 2) The IDS could drop all packets with a low TTL value. Advantage, this would mitigate attacks meant to evade IDS systems. Disadvantage, it might disrupt connectivity for some connections that legitimetly receive small TTL packets.

2) Authentication (10 points) MegaSoft released a video game player called Ybox Zero. For a monthly subscription fee, gamers can join the Ybox Half-Dead online gaming service. User authentication for Ybox Half-Dead works as follows. When the user first subscribes for the service, he must establish a password. This password is stored on the Half-Dead server together with the serial number of the user's Ybox Zero. Afterwards, whenever the user's Ybox connects to the server over the Internet, he is asked for his password, which is transmitted in the clear together with the serial number of the Ybox. The server verifies whether the received password matches the password in its database and whether subscription fees have been paid for this serial number. If so, it allows the user to connect. a) Fyodor has a paid-up Half-Dead subscription. He is using a wireless Internet connection for his 3am gaming marathons, and the signal leaks into Jerko's house (i.e., Jerko can passively eavesdrop on all messages transmitted to and from Fyodor's Ybox, but cannot modify them or introduce new messages). How can Jerko exploit this to connect his own Ybox to the Half-Dead server for free? Assume that Jerko can modify his Ybox. (3 points) Jerko can eavesdrop on Fyodor s messages and replay them to connect this Y-box. b) Design a user authentication scheme for Ybox Half-Dead based on a cryptographic hash function that prevents passive attackers from exploiting eavesdropped messages between the Ybox and the Half- Dead server. (7 points) The key is to create a hash that can be used to authenticate Fyodor to the Half-Dead server and mitigates replay attacks. Such a protocol should include the Half-Dead server sending a random nonce or challenge and the client sending back a hash containing, hash(password nonce serial). Assuming that the size of the nonce is sufficient to make it improbable that the same nonce or challenge is sent twice this would mitigate passive replay attacks.

3) SSL/DNSSEC (20 points): In the Current DNSEC system, each name server returns a certificate proving that its response is correct. The certificate essentially contains: C name,domain = (name, ipaddr, P name, domain,sig Pdomain (name, ipaddr, P name,domain ) Requests proceeds as follows: Client -> Root Nameserver: com? Root Nameserver -> Client: C Com,. Client -> com Nameserver: amazon.com? com Nameserver -> Client: C amazon,com Client -> amazon.com NS: www.amazon.com? amazon.com NS -> Client: C www,amazon.com Consider an alternative protocol in which only the last name server provides certificates for its answer: Client -> Root Nameserver: com? Root Nameserver -> Client: ipaddr Com,. Client -> com Nameserver: amazon.com? com Nameserver -> Client: ipaddr amazon,com Client -> amazon.com NS: www.amazon.com? amazon.com NS -> Client: C Com,., C amazon,com, C www,amazon.com a) List one efficiency advantage of the second protocol. (5 Points) Lower bandwidth overhead for the root and.com nameservers. b) List one difference and one similarity of the second protocol and the SSL PKI system. (15 Points) Difference: There are multiple certificates that need to be validated. Similarity: The root of trust is the. certificate, which the resolver must trust to verify the rest of the certificates.

4) Protocol Design (20 points) Alice and Bob want to communicate over a mutually authenticated connection. There is a trusted authority T, which will generate a fresh random session key K and send it to Alice and Bob. Alice has established a shared symmetric key K a with T and Bob has established a shared symmetric key K b with T. Using the notation A->B : M means that A sent message M to B. Also, {M }k means that message M was encrypted with key k. Alice -> T : { I want to authenticate with Bob }K a T -> Alice : { Use session key,k ab, and send Bob this message, {This is Alice using key,k ab }K b }K a Alice -> Bob : {This is Alice using key,k ab }K b a) What types of attacks is this protocol vulnerable to? Explain how each of the attacks would work (an example would be sufficient). (10 points) This protocol is vulnerable to replay attacks, since none of the messages include a nonce or time stamp to provide freshness. The protocol is also vulnerable to a man-in-the-middle attack since the message from T can be replayed. b) Can we design a protocol that would be able to authenticate two parties without prior knowledge of each other and be resilient to man-in-the-middle attacks? Explain your answer. (10 points) Alice -> T : { I want to authenticate with Bob,nonce }K a T -> Alice : { Use session key,k ab, and send Bob this message, nonce+1, {This is Alice using key,k ab }K b }K a Alice -> Bob : { This is Alice using key,timestamp, K ab }K b

5) FireWall (10 points) a) (2 points) What are the differences between application layer proxies and packet filters? Application layer proxies can perform deep packet inspection to filter attacks at the application layer. Packet filters are limited to the initial headers, i.e. IP, TCP, UDP, etc. b) (3 points) What are the differences between stateful and stateless firewalls? Stateful firewalls can determine if a packet is part of an existing connection or a reply to a request and use this to make filtering decisions. Stateless firewalls must make all filtering decisions based on the information in a single packet. c) (5 points) A stateless packet-filter firewall decides whether to allow a packet to traverse the firewall based on the TCP/IP header of the packet, without regard to past traffic through the firewall. Assume a stateless packet-filter firewall is installed between an enterprise network and the external Internet, for the purpose of protecting users on the enterprise network Circle the following attacks that can be detected and mitigated (to a significant degree) by the firewall: i. Port sweep ii. Syn flooding iii. a Phishing attack in which users are asked to visit a known bad web site iv. viruses in incoming email addressed to enterprise users

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information