COM00045H Information & Network Security
Hello, dear friend, you can consult us at any time if you have any questions, add WeChat: daixieit
COM00045H
BSc, BEng and MEng Degree Examinations 2022–23
DEPARTMENT OF COMPUTER SCIENCE
Information & Network Security (NETS-H)
Paper 2 (NETS2)
Question 1: Network Analysis (40 Marks)
Background
The system shown in Figure 1 belongs to a company known as DevCo. It provides a public
Internet-facing website hosted in the machine ‘Web Server’. The website content is developed and managed on the ‘Website Development & Management Machine’. The purpose of the
website is to advertise a small software development business, which is carried out in-house on the software ‘Development’ machine. The other computers in this system (W7 and the wireless notebooks) are used for office functions. The file server and printer provide shared services
across the system, and the wireless network is WEP encrypted.
The switch which hosts the Web Server and the associated management machine is provided with a spanning port which outputs all switch traffic to a dedicated packet monitor.
Maintaining the integrity and confidentiality of business data within the Development machine is critical to the business. Temporary non-availability of the webserver is not regarded as a
problem, but corruption of the website may harm the reputation of the company whose business is software-related.
At approximately 15:45 on 20 November, the user of the Development machine (192.168.0.27) was alerted by the host firewall by a generic alert which might suggest an abnormally high packet rate.
A packet capture at the network interface of the Development machine was saved in the file:
A-01-packet_capture_Dev.pcap
Another packet trace from the DMZ monitor was also secured, and was saved in the file:
A-02-packet_capture_DMZ.pcap
Both files can be downloaded from the module VLE.
Question
You have been asked to carry out a technical investigation of the attack. One approach would be first to analyse A-01-packet_capture_Dev.pcap for any evidence relating to the incident and to develop a set of key questions to guide the subsequent examination, then to analyse A-02-packet_capture_DMZ.pcap to supplement the results and to resolve the questions developed during the initial analysis. However, you are free to choose any other approach that you see fit.
Please answer the following questions by providing technical analysis intended for experts. Your answer for each question MUST be supported by evidence.:
(a) [7 Marks] From which host did the attack originate?
(b) [7 Marks] Does the pattern of access suggest scanning or denial of service?
(c) [7 Marks] Which parts of the network traffic are related to the attack?
(d) [7 Marks] What did the attacker discover about the system?
(e) [7 Marks] How did the attacker enter the system?
(f) [5 Marks] What is the algorithm used by the attacker? Is it published in the literature?
Page Limit
You can use up to 6 sides of A4 in total for this question. This limit does include any visual aids, e.g. tables, figures.
Specific Guidance
Your answers may be in the form of expanded notes, provided your documentation is sufficiently detailed for another analyst to understand and repeat your work.
You do not need to analyse network behaviours or features that are not associated with the attack.
Good marks will be given to succinct and properly supported analytic conclusions; assertions without clear justification will not be regarded as adequate. In other words, you must find specific evidence to support your theory about the incident.
Question 2: Network Attack Mechanisms (30 Marks)
Background
You are the IT security director of a large insurance company. As a standard practice, your IT
systems security practices are audited annually by an external consultancy company, aiming to detect any vulnerabilities. As part of their latest report, the consultants have provided you with a suspicious network traffic capture (B-01-packet_capture_insurance.pcap), which they claim is related to either a DNS poisoning attack or to a DNS amplification DDoS attack. They report that they were not able to find conclusive evidence regarding which of the two attacks actually took place, so they recommended that you be alert and vigilant for further developments.
The network traffic capture was obtained from the subnetwork where your insurance claim
analysis team works. In that subnetwork, analysts use PCs with read-only access to the
corporate database where all insurance claims are stored, and full access to the claim analysis subsystem which stores the reports produced by the analysts about the insurance claims they are assigned to. PCs in the subnet are assigned IP addresses from the range 192.168.43.0/25 (mask: 255.255.255.128), with broadcast address 192.168.43.127 and gateway 192.168.43.1. The subnetwork also has access to the web, which is widely used by analysts when investigating claims. DNS service is provided by the company-wide DNS server (IP address 144.32.128.242).
Question
Select only one of the options below, and justify your position by referring to the evidence provided in the network traffic capture and to your own research (max 600 words):
(a) You agree with the consultancy company that there is evidence of a DNS poisoning attack or a DNS amplification DDoS attack, but there is no conclusive evidence about which of those attacks actually took place.
(b) You disagree with the consultancy company, as the network traffic capture includes evidence that a DNS poisoning attack took place.
(c) You disagree with the consultancy company, as the network traffic capture includes evidence that computers in your organisation were part of a DNS amplification DDoS attack.
(d) You disagree with the consultancy company, as the network traffic capture does not include evidence of DNS poisoning or DNS amplification, but it includes evidence of a different attack.
(e) You disagree with the consultancy company, as the network traffic capture does not include evidence of DNS poisoning, DNS amplification, or any other attack.
Question 3: Network Perimeter Design (30 Marks)
Background
Your organisation has 70 user workstations and an Internet-facing webserver. The webserver is interfaced to the Internet via a router. The workstations are separated from the webserver by a
firewall. At present, users are able to access webservers on the Internet. The general arrangement is shown in Figure 2.
You need to provide an email service between email clients on the internal workstations and other users on the Internet via SMTP (not webmail).
You are required to answer the following questions, and provide a clear explanation that justifies your answers:
(i) [15 Marks] Describe how you would provide the SMTP email service, including any additional network components that may be required, the protocols used and their function.
(ii) [15 Marks] Specify exactly the firewall rules (of each firewall) that would be specific to this new email service.
Page Limit
You can use up to 2 sides of A4 in total for this question. Unlike in Q1, this limit does not include any visual aids, e.g. tables, figures.
You are expected to propose a design which reflects good security practice, and justify why this is the case.
Your firewall rules may use the convention used in lectures to describe such rules, or any other specific notation provided that your notation is clearly explained and includes all necessary rule elements for this problem.
You might need to research about SMTP and how it is used.
2023-08-11