Sirindhorn International Institute of Technology Thammasat University

Transcription

1 Name ID Section Seat No Sirindhorn International Institute of Technology Thammasat University Course Title: IT Security Instructor: Steven Gordon Final Exam Answers: Semester 2, 2015 Date/Time: Tuesday 17 May 2016; 13:30 16:30 Instructions: This examination paper has 15 pages (including this page). Conditions of Examination: Closed book; No dictionary; Non-programmable calculator is allowed Students are not allowed to be out of the exam room during examination. Going to the restroom may result in score deduction. Turn off all communication devices (mobile phone etc.) and leave them at the front of the examination room. The examination paper is not allowed to be taken out of the examination room. A violation may result in score deduction. Write your name, student ID, section, and seat number clearly on the front page of the exam, and on any separate sheets (if they exist). IT Security, Semester 2, 2015 Prepared by Steven Gordon on 17 May 2016 its335y15s2e02, Steve/Courses/2015/s2/its335/assessment/final-exam.tex, r4787

2 Question 1 [6 marks] Consider different Internet security approaches. When explaining an advantage/disadvantage, make sure it is an advantage/disadvantge when compared to the stated alternative. (a) Explain an advantage of application-level security (versus transport-level security). [2 marks] Answer. Application developer can choose and implement their own security mechanisms. Do not rely on the operating system provided security mechanisms. (b) Explain an advantage of transport-level security (versus application-level security). [2 marks] Answer. Application developer does not have to implement their own security mechansisms. There task is much easier as they just use the mechanisms provided by the OS. (c) Explain a disadvantage of host-to-host network-level security (versus transport-level security). [2 marks] Answer. Network level security (such as sec) requires configuration by the user of the computer. TLS does not require any involvement of the user. IT Security 2

3 Question 2 [14 marks] Consider the internet below, with a web browser running on computer U and a web server on S. There are seven routers shown (router 2 is also running as a firewall, FW), however assume there are more routers in the path. For example, although not shown, assume there are additional routers between R4 and R5, and between R5 and R6. U FW R1 01 R3 R4 R5 R6 R In your answers to the following questions use the device name to refer to the address. For example, the address of the computer running a web browser is U. The address of the firewall router is FW. Assume the firewall is using packet filtering only and contains a rule to block packets destined to S. First consider the case of a web proxy running on R5. The web browser uses the proxy to access the web site S. (a) Explain why a web proxy can be used to bypass a packet filtering firewall when U is using HTTP. [1 mark] Answer. The packet sent by U and received by the firewall has a destination address of R5. The rule on the firewall allows the packet. (b) Explain two different approaches that can be used in configuring the firewall so that U cannot access S via the proxy. For each approach, describe a disadvantage of the approach. [2 marks] Approach 1: Answer. Configure the firewall to block packets destined to proxy servers. The disadvantage is that the firewall must be aware of all proxy servers there are many available, and they change rapidly. Approach 2: Answer. Configure the firewall to inspect the data in the packet, and if it recognises the packet is a HTTP POST containing the URL of S, block it. The disadvantage is that it requires more complexity at the firewall, making it slower. All data packets must be checked, slowing down accepted data packets. Now consider that a VPN server is running on R5 (instead of the web proxy). Computer U is configured to use the VPN server. (c) If HTTP is used by U, and FW intercepts the packet sent by U, explain what the firewall can see. What are the source and destination addresses and what does the firewall know about the contents of the packet? [1.5 marks] IT Security 3 S

4 Answer. The firewall sees the source address of U and destination address of R5. The firewall cannot see the contents of the packet because it is encrypted. (d) Similar to part (c), what can R7 see? [1.5 marks] Answer. R7 sees the source address of R5 and destination address of S. The firewall can see the contents of the packet, i.e. it is a HTTP request. (e) Explain the differences in security achieved when using HTTPS with a VPN versus using HTTP with a VPN. That is, what extra security objectives are met by using HTTPS, that are not met when using HTTP (or vice versa). [1.5 marks] Answer. When using HTTPS, devices between R5 and S cannot see the data. Also, the VPN server cannot see the data. With HTTP devices between R5 and S as well as the VPN server can see the data. Now consider that Tor is being used on computer U and a Tor connection has been established on the relays on R4, R5 and R6. R6 is the exit relay. (f) If the firewall intercepts the packet from U, explain what the firewall can see or knows. That is, what source/destination addresses does it see, what content can it see and who does it know is communcating. [1.5 marks] Answer. The source is that of U and the destination is R4, so the firewall believes U is communicating with R4. The content cannot be seen because it is encrypted by Tor. (g) When R5 receives the packet, explain what R5 can see or knows. [1.5 marks] Answer. The source is R4 and the destination is R6. The content is encrypted and cannot be seen by R5. (h) When R7 receives the packet, explain what R7 can see or knows. [1.5 marks] Answer. The source is R6 and the destination is S. If HTTP is used, they can see the content. If HTTPS is used, they cannot see the content. Finally, compare the three approaches: web proxies, VPN and Tor. When you explain the advantage, you must give more that a one word or phrase answer (such as faster ). You must explain why it is an advantage (e.g. it is faster because... ). (i) Explain an advantage of web proxies (compared to VPNs). [1 mark] IT Security 4

5 Answer. Web proxies are generally free, or cheaper than VPNs because they require fewer resources to operate and can easily be supported by advertising. Web proxies are easier to use/setup compared to VPNs because the user only has to visit the proxy website in their browser. With a VPN, the user must configure software (e.g. OS settings) to setup the VPN client. (j) Explain an advantage of Tor (compared to VPNs). [1 mark] Answer. Tor provides privacy from all entities in the network, whereas with a VPN you must trust the VPN server. IT Security 5

6 Question 3 [6 marks] (a) Explain how Stateful Packet Inspection (SPI) is used with a packet filtering firewall. Include in your explanation how a SPI table is created and how it is used. [2 marks] Answer. When a rule in the firewall table accepts an incoming connection (e.g. a TCP SYN packet), then an entry is added to the SPI table identifying the connection (e.g. address pair, port pair). Then, any subsequent packets belonging to that connection (e.g. TCP SYN/ACK in reverse direction, TCP ACK and TCP data packets) will be accepted without consulting the firewall table. (b) Assume SIIT Bangkadi has a correctly configured firewall that prevents external users from accessing unauthorised services inside SIIT, prevents internal users from accessing unauthorised services outside SIIT, and stops malicious content (e.g. viruses) from entering SIIT. The firewall runs on the single router that connects SIITs internal network to the internet. Consider the limitations of firewalls. Even with the firewall correctly configured, explain one method in which: [2 marks] i. An internal user may access unauthorised external services. Answer. Internal users could use alternative Internet connections (e.g. mobile phone) which the firewall does not control. Internal users could use tunnelling to bypass the firewall. ii. Malicious content can still enter SIIT. Answer. If internal users use alternative Internet connections, malicious content will not be blocked by the firewall. Similar, if internal users use media (CD, USB) with malicious content, then it can be loaded onto internal computers. (c) Assume SIIT has a De-Militarised Zone (DMZ), which is a subnet that contains only public-facing servers (e.g. mail.siit.tu.ac.th, ict.siit.tu.ac.th). SIIT also has other servers for internal use only (e.g. database servers, file servers). Draw a picture that shows the SIIT network, including internal servers and hosts (e.g. office computers), DMZ, firewall(s) and the single router that connects the SIIT network to the external internet. [2 marks] Answer. notes Draw a network similar to one of those in slide 18 of Firewalls lecture IT Security 6

7 Question 4 [6 marks] The following are a selection of Linux commands used in Ping and NTP flooding attacks. (a) tcpdump -i eth1 icmp (b) tc class add dev eth2 parent 1:0 classid 1:10 htb rate (c) service ntp restart (d) sysctl net.ipv4.icmp echo ignore broadcasts=0 (e) ping -b (f) ntpdc -n -c monlist (g)./pingmany (h) sysctl net.ipv4.conf.all.rp filter=0 (i) iptraf (j) chmod u+x pingmany (k) kill -SIGINT pgrep ping (l) ntpdate (m) iptables -t nat -A POSTROUTING -j SNAT --to-source Select the most appropriate command from above that is used to perform each of the following operations in setting up and performing the DoS attacks. Some operations require multiple commands; but select just one of the commands from above. Assume the user has full privileges on the system (ignore sudo). To answer, in the space for each operation, give the letter, from between a and m, of the command. [1 mark each] (a) Send an ICMP echo request to all nodes on a subnet: e (b) Set this node to use a fake source address: m (c) Send a request for a list of computers that have recently contacted an NTP server: f (d) Display real-time statistics of all packets coming in to an interface: i (e) Enable a router to allow packets with fake source addresses to be forwarded: h (f) Limit the speed at which a node can send data: b IT Security 7

8 Question 5 [14 marks] This question and several of the following questions require you to draw a protocol stack. When drawing a protocol stack, label the layers with as specific name as possible. For example, if the question asks about web browsing, then at the transport layer you would write TCP, because that is the transport protocol used for web browsing. If you answered transport then it would be marked incorrect (since TCP is more specific than transport). As another example, if the question asks about all or any applications, then at the transport layer you would write transport, because without knowing the specific application, you cannot know the specific transport protocol. If you answered TCP then it would be marked incorrect (since some applications may use UDP). Some layers may already be given in questions (i.e. = Physical layer; = Data Link layer), you need to draw the remaining layers above them. (a) Complete the protocol stack for the web browser, A, and web server, B, in the figure below if HTTPS is being used. [3 marks] Web Browser Web Server Internet (b) Typically when using HTTPS, the client authenticates the server using digital certificates. How does a server typically authenticate a client? [1 mark] Answer. Usernames and passwords. The client submits the username and password using HTTP (e.g. a POST request). (c) Assume the web server, B, has obtained a certificate from Certificate Authority, CA. Write an equation for the certificate, C B. Some notation you may use includes: T for a timestamp, E RSA () for encryption, for concatenation and H() for a hash function. [3 marks] IT Security 8

9 Web Browser Web Server HTTP SSL/TLS TCP HTTP SSL/TLS TCP Internet Answer. C B = ID B P U B T E RSA (P R CA, H(ID B P U B T )) (d) Write an equation for the self-signed certificate of CA, C CA. [2 marks] Answer. C CA = ID CA P U CA T E RSA (P R CA, H(ID CA P U CA T )) (e) When the web browser receives the C B, it must verify the certificate using C CA. In practice, how does the browser know or obtain C CA? [2 marks] Answer. The browser developer loads a set of CA certificates into the browser (or they are provided by the OS - the OS developer loads them). (f) Once the web browser has verified C B, the web browser generates a random secret key, K s, encrypts the secret key to get X, and sends X back to the web server, B. Write an equation to show how X is obtained. [2 marks] Answer. X = E RSA (P U B, K s ) IT Security 9

10 (g) Assuming the algorithms used are cryptographically secure, explain a practical limitation or potential vulnerability with using digital certificates. [2 marks] Answer. If browser developers are compromised or someone with administrator access can configure the browser/computer, untrustworthy CA certificates may be loaded, meaning fake server certificates can be issued. IT Security 10

11 Question 6 [7 marks] Consider an application proxy running on a router at the edge of an internal network. The proxy is used for all HTTP traffic between internal browsers and external web servers. The proxy includes functionality to scan and filter content exchanged between browser and server. (a) Complete the protocol stack for the web browser, A, the web server, B, and the application proxy, P, in the figure below if HTTP is being used. [2 marks] Web Browser Application Proxy Web Server internal external (b) Explain both an advantage and disadvantage of using a HTTP application proxy to control traffic between internal browsers and external web servers (compared to using a packet filtering firewall with SPI). [2 marks] Advantage of proxy: Answer. The proxy can understand the HTTP messages, therefore allowing it to make decisions based on the content of the HTTP GET requests and responses. E.g. it can look at the Host: field in the GET header to determine the domain name of the web site. It can look at the URL field in the GET request to determine the exact file being requested. It can look at the HTML in the response to determine if the content should be blocked. A packet filtering firewall does not look at the HTTP messages. Disadvantage of proxy: IT Security 11

12 Web Browser Application Proxy Web Server HTTP HTTP HTTP HTTP TCP TCP TCP TCP internal external Answer. Inspecting the HTTP headers is generally much slower than just looking at the and TCP headers. Since and TCP headers are of fixed size/structure, it is common to have a firewall use (fast) hardware features to check those values. But HTTP messages must be processed in software, and the algorithms to check the messages must consider many different types of HTTP requests/responses, fields and content. Another disadvantage is the proxy splits the connection from browser to server into two connections: browser to proxy, and proxy to server. Therefore end-to-end security (HTTPS) is not possible. If HTTPS is used then the proxy must be able to decrypt the packet, compromising the end-to-end security. This generally requires a certificate of the proxy to be loaded into the browser so that the browser does not get any warnings about untrusted connections. (c) As administrator of the internal network, explain what you need to do to setup the application proxy to support HTTPS. (Hint: think about certificates and how they are normally used to exchange a secret in HTTPS) [3 marks] Answer. Since the proxy needs to decrypt the HTTPS message it must create a connection to the server (if the HTTPS connection is from browser to server the proxy will not be able to see the messages, meaning it can not filter packets). So the server sends its certificate to the proxy and they establish a secure connection. Since the proxy will use the servers public key, the server will be able to decrypt with its private key. When a secure connection is established between the proxy and client, for the proxy to be able to decrypt the client must use the proxies public key. But the client sends a request to the server. So the proxy sends a certificate to the client saying it is the IT Security 12

13 public key of the server, but in fact it is the public key of the proxy. But the proxy cannot get a real CA to sign this fake certificate so it self-signs (using the proxies private key). When the client receives this certificate, it will not trust it because it is self-signed, at least presenting a warning to the user. If you want to avoid this warning then the client could be configured with the proxies certificate, meaning it will trust anything from the proxy. IT Security 13

14 Question 7 [7 marks] You are the administrator of the SIIT network. You want to setup a virtual private network (VPN) using sec between the two campuses, Rangsit and Bangkadi, so that all data exchanged (including by faculty members in their offices, students using SIIT Wi-Fi, and staffs using servers) between the campuses is encrypted. (a) On the figure below indicate where sec will be configured to run (i.e. on which device and at which layer). (Although the figure only shows two hosts, assume there are many hosts on each network). [3 marks] SIIT Bangkadi Host A App UDP TCP SIIT Bangkadi ISP1 ISP2 SIIT Rangsit Router W Router X Router Y Router Z SIIT Rangsit Host B App TCP UDP SIIT Bangkadi network ISP1 Internet ISP2 SIIT Rangsit network (many ISPs) network network SIIT Bangkadi Host A App SIIT Rangsit Host B App UDP TCP SIIT Bangkadi ISP1 ISP2 SIIT Rangsit Router W Router X Router Y Router Z TCP UDP sec sec SIIT Bangkadi network ISP1 Internet ISP2 SIIT Rangsit network (many ISPs) network network (b) What is an advantage of using sec in the locations that you chose in part (a) (compared to other locations)? [2 marks] Answer. If sec is used from W to Z, then it only needs to be configured on those routers. The hosts within Bangkadi and Rangsit do not need to be configured/maintained to run sec, making it easy to manage the network. If sec was IT Security 14

15 used on each host, then the network administrator would need to maintain all hosts (very difficult). (c) If someone intercepts packets on the Internet (between X and Y) while the VPN is in use, then explain what level of privacy is provided with regards to identifying who is communicating. [2 marks] Answer. They will see the source is Bangkadi and destination is Rangsit, meaning they can identify that someone within SIIT Bangkadi is communicating with somone within SIIT Rangsit. But they don t know the individual within each network. IT Security 15

16 Question 8 [10 marks] Consider the internet in Figure 1. On the 4 subnets assume there are many hosts (although only two hosts are shown for each subnet due to space). The host addresses are obtained from the subnet address and the host number, e.g. host 2 has The two routers have three interfaces / / eth0 A eth1 eth2 Internet (many subnets & hosts) 4 eth2 B 6 eth0 eth / /24 7 Figure 1: Firewall network You are the IT administrator for the two subnets attached to router A and need to add a rule to the firewall running on router A. The default policy for the firewall is accept. Stateful Packet Inspection is enabled on the firewall. For each of the following policies, write a rule that implements it by filling in the table. You may use 1 or more rows, but the rules should be as simple as possible. Use the format :22 to show both address and port number in the Source and Destination columns. For each part, assume initially there are no firewall rules; i.e. your answer in part (b) is independent of your answer in part (a). [2 marks each] IT Security 16

17 (a) Block all hosts on network /24 from accessing any SSH servers on network /24 Source Destination Protocol Action Source: /24:*; Destination: /24:22; Protocol: TCP; Ac- Answer. tion: Drop (b) Block host 3 from browsing to any websites in network /24 Source Destination Protocol Action Answer. Source: :*; Destination: /24:80; Protocol: TCP; Action: Drop Source: :*; Destination: /24:443; Protocol: TCP; Action: Drop (c) Block all hosts in network /24 from accessing internal servers, except host 8 should be able to access the SSH on host 1 Source Destination Protocol Action IT Security 17

18 Answer. Source: :*; Destination: :22; Protocol: TCP; Action: Accept Source: /24:*; Destination: *:*; Protocol: *; Action: Drop Consider the same network as in Figure 1. Now assume the default policy is drop. The current firewall table is: Source Destination Protocol Action :* /24:22 TCP Accept :* /24:25 TCP Accept /24: :* TCP Accept /24:* :80 TCP Accept :* *:443 TCP Accept The following TCP SYN packets have recently been received by the firewall. Packet 1 arrived on interface eth0 with source :40123 and destination :25 Packet 2 arrived on interface eth1 with source :50345 and destination :25 Packet 3 arrived on interface eth2 with source :50789 and destination :80 (d) Draw the SPI table at the firewall. [2 marks] Source Destination Answer. Packet 1 is dropped. Packet 2 is accepted, hence an entry is added to the SPI table (Src = :50345, Dst = :25). Packet 3 is accepted, hence an entry is added to the SPI table (Src = :50789, Dst = :80) (e) With your SPI table from the answer above, now assume a TCP Data segment arrives on interface eth1 with source :80 and destination : Explain what happens to the TCP Data segment and why. [2 marks] Answer. The TCP segment is accepted since the 2nd entry in the SPI table matches. The segment belongs to an accepted/established connection. IT Security 18