Corso di Network Security a.a. 2012/2013. Solutions of exercises on the second part of the course

Similar documents
Network Security. Thierry Sans

CSC 4900 Computer Networks: Security Protocols (2)

Network Encryption 3 4/20/17

CIT 380: Securing Computer Systems. Network Security Concepts

Int ernet w orking. Internet Security. Literature: Forouzan: TCP/IP Protocol Suite : Ch 28

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

CSCE 715: Network Systems Security

IPSec. Slides by Vitaly Shmatikov UT Austin. slide 1

Chapter 8 Network Security

Time Synchronization Security using IPsec and MACsec

VPN Ports and LAN-to-LAN Tunnels

CTS2134 Introduction to Networking. Module 08: Network Security

Protocols, Technologies and Standards Secure network protocols for the OSI stack P2.1 WLAN Security WPA, WPA2, IEEE i, IEEE 802.1X P2.

CIS 6930/4930 Computer and Network Security. Topic 8.1 IPsec

Network Security. Dr. Ihsan Ullah. Department of Computer Science & IT University of Balochistan, Quetta Pakistan. June 18, 2015

DPX8000 Series Deep Service Switching Gateway User Configuration Guide Firewall Service Board Module v1.0

Firewalls, Tunnels, and Network Intrusion Detection

CSC 6575: Internet Security Fall 2017

Internet Layers. Physical Layer. Application. Application. Transport. Transport. Network. Network. Network. Network. Link. Link. Link.

ARP, IP, TCP, UDP. CS 166: Introduction to Computer Systems Security 4/7/18 ARP, IP, TCP, UDP 1

CSC 6575: Internet Security Fall Attacks on Different OSI Layer Protocols OSI Layer Basic Attacks at Lower Layers

Added Features. 1. PPTP (Point-to-Point Tunneling Protocol)

CS519: Computer Networks. Lecture 1 (part 2): Jan 28, 2004 Intro to Computer Networking

ET4254 Communications and Networking 1

NETGEAR-FVX Relation. Fabrizio Celli;Fabio Papacchini;Andrea Gozzi

E&CE 358: Tutorial 1. Instructor: Sherman (Xuemin) Shen TA: Miao Wang

PROGRAMMING Kyriacou E. Frederick University Cyprus. Network communication examples

Computer Security 3e. Dieter Gollmann. Security.di.unimi.it/sicurezza1415/ Chapter 16: 1

Introduction to Computer Networks. CS 166: Introduction to Computer Systems Security

A Framework for Optimizing IP over Ethernet Naming System

The Network 15 Layer IPv4 and IPv6 Part 3


ECE 435 Network Engineering Lecture 23

Managing and Securing Computer Networks. Guy Leduc. Chapter 7: Securing LANs. Chapter goals: security in practice: Security in the data link layer

Agenda. Introduction. Security Protocols Wireless / Mobile Security. Lecture 10. Network Security I

... Lecture 10. Network Security I. Information & Communication Security. Prof. Dr. Kai Rannenberg

ELEC5616 COMPUTER & NETWORK SECURITY

SC/CSE 3213 Winter Sebastian Magierowski York University CSE 3213, W13 L8: TCP/IP. Outline. Forwarding over network and data link layers

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

TCP/IP THE TCP/IP ARCHITECTURE

Advanced Security and Mobile Networks

Computer Networking: A Top Down Approach Featuring the. Computer Networks with Internet Technology, William

The Netwok 15 Layer IPv4 and IPv6 Part 3

A+ Guide to Software: Managing, Maintaining, and Troubleshooting, 5e. Chapter 8 Networking Essentials

Configuration of an IPSec VPN Server on RV130 and RV130W

Chapter 6. IP Security. Dr. BHARGAVI H. GOSWAMI Department of Computer Science Christ University

IPSec. Overview. Overview. Levente Buttyán

The Netwok Layer IPv4 and IPv6 Part 1

Firewalls. Firewall. means of protecting a local system or network of systems from network-based security threats creates a perimeter of defense

CIS 5373 Systems Security

Chapter 6/8. IP Security

Cryptography and Network Security. Sixth Edition by William Stallings

Assignment - 1 Chap. 1 Wired LAN s

Security and Lawful Intercept In VoIP Networks. Manohar Mahavadi Centillium Communications Inc. Fremont, California

Network Security and Cryptography. December Sample Exam Marking Scheme

Tunnels. Jean Yves Le Boudec 2015

IP Security. Have a range of application specific security mechanisms

Computer Security 3e. Dieter Gollmann. Security.di.unimi.it/sicurezza1516/ Chapter 16: 1

HW/Lab 4: IPSec and Wireless Security. CS 336/536: Computer Network Security DUE 11 am on 12/01/2014 (Monday)

Networking interview questions

The Internet community has developed application-specific security mechanisms in a number of application areas, including electronic mail (S/MIME,

Configuring L2TP over IPsec

Service Managed Gateway TM. How to Configure and Debug Generic Routing Encapsulation (GRE)

Network Security: IPsec. Tuomas Aura

Network Interconnection

IP Routing & Bridging

Networking Security SPRING 2018: GANG WANG

Virtual Private Networks (VPN)

Selected Network Security Technologies

Junos Security. Chapter 8: IPsec VPNs Juniper Networks, Inc. All rights reserved. Worldwide Education Services

Operating Systems CS 571

Analysis of VPN Protocols

Hands-On TCP/IP Networking

Chapter 5: Network Layer Security

The Netwok Layer IPv4 and IPv6 Part 1

The Netwok Layer IPv4 and IPv6 Part 1

Implementing Cisco IP Routing

20-CS Cyber Defense Overview Fall, Network Basics

The Internet. 9.1 Introduction. The Internet is a global network that supports a variety of interpersonal and interactive multimedia applications.

Internet Security. - IPSec, SSL/TLS, SRTP - 29th. Oct Lee, Choongho

Computer Networks (Introduction to TCP/IP Protocols)

ETSF05/ETSF10 Internet Protocols Network Layer Protocols

Fundamental Questions to Answer About Computer Networking, Jan 2009 Prof. Ying-Dar Lin,

ECE 435 Network Engineering Lecture 23

IPv6 Protocol. Does it solve all the security problems of IPv4? Franjo Majstor EMEA Consulting Engineer Cisco Systems, Inc.

CS-435 spring semester Network Technology & Programming Laboratory. Stefanos Papadakis & Manolis Spanakis

IP Security. Cunsheng Ding HKUST, Kong Kong, China

Tunnels. Jean Yves Le Boudec 2014

Virtual Private Networks

SEN366 (SEN374) (Introduction to) Computer Networks

On the Internet, nobody knows you re a dog.

TABLE OF CONTENTS CHAPTER TITLE PAGE

AIT 682: Network and Systems Security

Cryptography and Network Security Chapter 16. Fourth Edition by William Stallings

Network Security. Rev 1.0.

The OSI Model. Open Systems Interconnection (OSI). Developed by the International Organization for Standardization (ISO).

This course prepares candidates for the CompTIA Network+ examination (2018 Objectives) N

COSC4377. Chapter 8 roadmap

CSC Network Security

Numerics I N D E X. 3DES (Triple Data Encryption Standard), 48

Transcription:

University of Parma Department of Information Engineering Corso di Network Security a.a. 2012/2013 Solutions of exercises on the second part of the course 1) Specify the name of the CHAP messages exchanged between a Client e and a Server Client Server CHAP challenge CHAP response CHAP success (or failure) 2) Let us consider a Wireless LAN with authentication and access control functionalities based on EAP/CHAP. Try to complete the following message exchange between: the client terminal (acting as EAP supplicant), the Access Point (acting as authenticator) and an AAA server acting as Back-end Authentication Server. Remember that EAP has 4 message types: EAP-Request, EAP-Response, EAP-Success, EAP-Failure. Client AP AAA EAP Request [Identity Request] EAP Response [Client ID] EAP Request [CHAP challenge] EAP Response [Client ID] EAP Request [CHAP challenge] EAP Request [CHAP resopnse] EAP Success EAP Request [CHAP resopnse] EAP Success 3) In the following HTTP Client-Server interaction, specify which messages should separately include the following two HTTP header fields: - WWW-Authenticate: Digest realm="biloxi.com", qop="auth,auth-int", nonce="dcd98b7102dd2f0e8b11d0f6" - Authorization: Digest username="bob", realm="biloxi.com", nonce=" dcd98b7102dd2f0e8b11d0f6", uri="/dir/index.html", qop=auth, response="6629fae49393a05397450978507c4ef1"

Client Server HTTP GET HTTP 401 "Unauthorized" WWW Authenticate HTTP GET WWW Authorization HTTP 200 "OK" 4) Let us consider the network scenario shown in figure, where two sub-networks are interconnected by means of a IPSec VPN established between the two access routers R1 and R2 connected to the external Internet. If the IPSec VPN uses both ESP and AH protocols (with AH protecting also the ESP data), and if the encapsulation combination mode (transport/tunnel) with minimum overhead is chosen, you are requested to: i) show the format of the packets in the external network, sent by to (indicate the sequence of all headers and payloads); ii) for each possible IP header, specify the source address (SA) and destination address (DA) (use the name of the node as node address). R1 R2 Rete 1 Internet Rete 2 encrypted new IP-H AH ESP-H IP-H data ESP-T SA=R1 DA=R2 SA= DA= 5) Let us consider the road-warrior scenario shown in figure, where a user terminal is interconnected through IPSec to the access router R1 of its remote company network. If ESP is used for protecting information between and R1, if further protects the communication with a remote terminal by means of ESP, and if the encapsulation combination mode (transport/tunnel) with minimum overhead is chosen, you are requested to: iii) show the format of the packets in the external network, sent by to (indicate the sequence of all headers and payloads); iv) for each possible IP header, specify the source address (SA) and destination address (DA) (use the name of the node as address). R1 Internet Rete aziendale

encrypted 2 encrypted 1 new IP-H ESP 2 -H IP-H ESP 1 -H data ESP 1 -T ESP 2 -T SA= DA=R1 SA= DA= 6) In the following IP over Ethernet network scheme, which nodes are able to eavesdrop all the traffic exchanged between and? Which nodes are able to launch a Man In The Middle (MITM) attack, based on their position, without the need of using ICMP or ARP spoofing? Hub1 Switch1 Hub2 Router1 H3 H4 H5 H6 List of nodes that are able to eavesdrop traffic between and (throgh network sniffing): H3, H5, R1 List of nodes that are able to launch a MITM attack: R1 7) Considering the following network scheme, specify a possible message flow for a an ARP spoofing attack (also referred to as ARP poisoning attack) launched by a node C (attacker) against a node A (victim), where B is the spoofed node. If ipa, maca, ipb, macb, ipc, macc are the IP and MAC addresses of the three nodes, specify the ARP tables of A and C after the attack. A B C switch ARP table A ipb macc (1) ARP request (who has ipb?) (1) (2) (4) (1) (3) ARP response (macb has ipb) (3) (2) ARP response (macc has ipb) (4) ARP response (macc has ipb) 8) Considering the following network scheme, specify a possible message flow for a an ICMP spoofing attack of type redirect, launched by a node C (attacker) trying to become Man In The Middle between nodes A (victim) and B. Particularly, consider the case in which A and B want to exchange the following 4 IP packets: pkt1:a B, pkt2:b A, pkt3:a B, pkt4:b A, and the attack starts when the first packet (pkt1) is sent.

A C Router B pkt1 ICMP redirect (dest B next hop C) pkt2 pkt1 pkt2 pkt3 pkt3 pkt4 pkt3 pkt4 9) Let us consider a network scenario in which a NAT node is used for interconnecting an internal network to an external network as in figure. Let us consider a node (ip_addr=a1) attached to the internal network, and nodes (ip_addr=a2) and H3 (ip_addr=a3) attached to the external network. Rete Interna NAT Rete Esterna H3 If sends to an UDP datagram (pkt1) addressed as: A1:p1 A2:p2, and if the NAT changes the packet into pkt1 addressed as A10:p10 A2:p2, Which of the following packets sent from and H3 to will reach, assuming that NAT works as restricted cone NAT? pkt2=a2:p2 A1:p1 pkt3=a2:p4 A1:p1 pkt4=a3:p3 A1:p1 pkt5=a2:p2 A10:p10 pkt6=a2:p4 A10:p10 pkt7=a3:p3 A10:p10 YES YES 10) Let us consider the following network scheme, where in the node 100.5.5.2 there is a HTTP web server (TCP port 80) and a SMTP mail server (TCP port 25); you are requested to configure the filtering table of the router R1 so that: i) it is possible to access to the internal server web (in the node 100.5.5.2) from external clients; ii) it is possible to access any external web server (limited to the server TCP port 80) from any internal client; iii) it is possible the communication, established by both sides, between the internal SMTP mail server and possible external i SMTP servers; that is: internal client external server (TCP port 25), and internal server (TCP port 25) external client. 100.5.5.2 PF-R1 100.5.5.0/24 eth0 ppp0 Internet

FORWARD Matching action in_int out_int s_addr d_addr Proto s_port d_port altro / DROP ppp0 eth0 * 100.5.5.2 TCP * 80 NEW eth0 ppp0 100.5.5.0/24 * TCP * 80 NEW ppp0 eth0 * 100.5.5.2 TCP * 25 NEW eth0 ppp0 100.5.5.2 * TCP * 25 NEW Or by applying anti-spoofing rules separately (the first row in the next table): ppp0 eth0 100.5.5.0/24 * * * * * DROP * * * 100.5.5.2 TCP * 80 NEW * * 100.5.5.0/24 * TCP * 80 NEW * * * 100.5.5.2 TCP * 25 NEW * * 100.5.5.2 * TCP * 25 NEW Or without using matching rules based on the connection-state (for example in case of stateless packet-filter): ppp0 eth0 * 100.5.5.2 TCP * 80 * eth0 ppp0 100.5.5.2 * TCP 80 * {SYN=1,ACK=0,FIN= eth0 ppp0 100.5.5.0/24 * TCP * 80 * ppp0 eth0 * 100.5.5.0/24 TCP 80 * {SYN=1,ACK=0,FIN= ppp0 eth0 * 100.5.5.2 TCP * 25 * eth0 ppp0 100.5.5.2 * TCP 25 * {SYN=1,ACK=0,FIN= eth0 ppp0 100.5.5.2 * TCP * 25 * ppp0 eth0 * 100.5.5.2 TCP 25 * {SYN=1,ACK=0,FIN= 11) Let us consider the following company network formed by an internal network and a DMZ separated by a screening router R1, and connected to the external public network (Internet) through the screening router R2, as shown in figure. You are requested to configure the filtering table of R2 so that: a) it is possible to establish application level client-server communications (through any transport protocol) from any DMZ node toany external node; b) it is blocked any attempt to establish a client/server communication from the external network to the DMZ; c) it is blocked any communication between the internal and the external networks; d) it is possible to establish TCP connections from the external network to the node 200.0.0.5 TCP port 80 (HTTP). PF-R1 200.0.0.5 PF-R2 200.0.1.0/24 eth1 eth0 200.0.0.0/24 eth1 eth0 Internet

FORWARD Matching action in_int out_int s_addr d_addr Proto s_port d_port altro / DROP eth1 eth0 200.0.0.0/24 * * * * NEW eth0 eth1 * 200.0.0.5 TCP * 80 NEW 12) Let us consider the network of the previous exercise. You are requested to configure the filtering table of R2 so that: e) it is possible to establish application level client-server communications (through any transport protocol) from any node of the internal network (network address 200.0.1.0/24) to the DMZ; f) it is blocked any attempt to establish a client/server communication from the DMZ to the internal network; g) it is blocked any communication between the internal and external network. FORWARD Matching action in_int out_int s_addr d_addr Proto s_port d_port altro / DROP eth1 eth0 200.0.1.0/24 200.0.0.0/24 * * * NEW 13) Let us consider an anonymizing network formed by high-latency anonymizing Mix nodes. Le us consider the case in which a node A wants to send a message m to a node B by means of three intermediate Mix nodes X, Y, and Z. Assume that K i and K - i are respectively the public and private keys of node i (i=x,y,z). Indicate the format of the message composed by A and sent to the first node X. Data sent by A to the first node X: E K x ( ID Y, E K y (ID Z, E K z (ID B, m) ) ) where IDi is the identify or address of a node that can be used as recipient for sending some data to that node. Note: node X will receive such data, decrypt it with K - x and relay the following content data to Y: E K y (ID Z, E K z (ID B, M) ) node Y will receive such data, decrypt it with K - y and relay the following content data to Z: E K z (ID B, M) node Z will receive such data, decrypt it with K - z and relay the message m to B.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback