Advanced Network Security Assessment

Question 1

This assignment question requires that you analyse a packet capture dump file (http_gzip.pcap) and provide comments explaining each packet. This pcap file contains only ten packets.  Your task is to annotate each packet commenting on the following characteristics.

· Comment on any significant TCP flags and what they mean in the context of the packet capture. Significant flags include SYN, FIN, RST, and URG.  You must explain why the flag has been set and what it means for this TCP connection.  

· Comment on the direction of each packet (ie. client -> server or server -> client).  Be clear to explain in which direction the interaction is occurring.

· Comment on each command and response between the client and the server. You must explain what each command does.  You should also explain the data that is exchanged.  This will require that you study Internet documents relating to TCP to understand what the commands mean.  

You should also comment on the 2 port numbers used in this connection and their significance.  For example, is it an ephemeral or reserved port?  If it is a reserved port, what protocol does it relate to?

On the following page is an example of the template to use to complete this question.  It provides a brief summary of each packet and has been formatted to include an “explanation” field underneath each packet. You are to write your comments in this “explanation” field addressing the packet immediately above, based on your analysis of the packet using Wireshark. Be specific and detailed.  Any vague or limited responses will not attract any marks.  Note, that the table is only a summary of the information provided in the pcap file. Be sure to comment in relation to information provided in the pcap file using Wireshark, not just the summary table.

For examples of how to complete the table, be sure to have completed all 3 parts of the Packet Capture Exercises. They are available from the Lectures and Tutorials page of the course website. Your solution must of course be in your own words.  Do not copy directly from any examples or you will get zero marks

Question 2:

A small company is connected to the internet via a Router with firewall and proxy services installed (139.77.5.210).

There are three servers located in a DMZ (138.77.5.0 / 25).

The web server (138.77.5.89) can directly accept requests (HTTP or HTTPS) from the Internet or from the internal network (192.168.1.0/25).

The DNS server (138.77.5.6) can directly accept requests from the Internet. The DNS server can also directly accept requests from the internal network (192.168.1.0/25). However, if the DNS server cannot resolve a domain name requested by the internal network (192.168.1.0/25), it will contact the DNS servers on the Internet directly for the name resolution.

On behalf of the users on the internal network (192.168.1.0/25), the email server (138.77.5.110) sends emails to and receives emails from the Internet. The users on the internal network (192.168.1.0/25) use IMAP (Internet E-mail Access Protocol) to read and organise their emails on the email server.

The users on the internal network (192.168.1.0/25) are allowed to access the Internet only for HTTP, HTTPS and FTP services. However, the users of the internal network are never allowed to connect to the Internet directly.

There are 8 client computers and a Database server on the internal network.

Based on the above advanced network configuration and application scenarios, answer the following three questions.

A.      Draw a network diagram of this network including IP addresses.

B.      The firewall services are installed on the router. Create the firewall rules to implement the packet filtering and only allow the specified traffic. The firewall rules are to be created in the following format.

A.      C.   Briefly explain each rule in the rule base that you have created.

B.      The proxy services are also installed on the router to conceal the users of the internal network (192.168.1.0/25) from the Internet. Suppose that users on the internal computers send the following requests to the Internet. The proxy services perform the Port Address Translation (PAT). Complete the following connection table to show how PAT is working for requests from the users on the internal network.  

Question 3: 

Although the course textbook and other resources discuss several specific network attack vulnerabilities, it is not feasible to cover all of them. New vulnerabilities are being discovered all of the time, and there are hundreds of currently known vulnerabilities. Professional network administrators have to keep themselves current with all possible threat possibilities. One way of doing this is by performing personal research. In this case study, you should use the Internet to assist you in developing responses to the three questions.  Use of the course textbook and supplied resources only is not sufficient to award full marks. You should use your research skills and go beyond these resources.

You are required to answer the following questions.  

a)      Your are to research a recent ransom type attack via the internet, what type of attack has been performed by the hackers?  You need to fully justify your answer, not just state the type of attack.

b)      Describe how the attack may have occurred with sufficient information to explain how a hacker could carry out the attack. Ensure you include references.

c)      How could the network administrator prevent such attacks?  You don’t need to provide the actual code – just describe what measures they would have to implement to ensure that occurrence of an attack could be minimised.