Assignment 2 Questions
COIT20262 Assignment 2 Questions Term 2, 2019
Advanced Network Security Page 1 of 10
COIT XXXXXXXXXXAdvanced Network Security, Term 2, 2019
Assignment 2 Questions
Due date: 10am Monday 14 October 2019 ASSESSMENT
Weighting: 45% 2 Length: N/A
Instructions
Attempt all questions.
This is an individual assignment, and it is expected students answer the questions themselves.
Discussion of approaches to solving questions is allowed (and encouraged), however each
student should develop and write-up their own answers. See CQUniversity resources on
Referencing and Plagiarism. Guidelines for this assignment include:
• Do not exchange files (reports, captures, diagrams) with other students.
• Complete tasks with virtnet yourself – do not use results from another student.
• Draw your own diagrams. Do not use diagrams from other sources (Internet, textbooks)
or from other students.
• Write your own explanations. In some cases, students may a
ive at the same numerical
answer, however their explanation of the answer should always be their own.
• Do not copy text from websites or textbooks. During research you should read and
understand what others have written, and then write in your own words.
• Perform the tasks using the co
ect values listed in the question and using the co
ect
file names.
File Names and Parameters
Where you see [StudentID] in the text, replace it with your actual student ID. If your student
ID contains a letter (e.g. “s1234567”), make sure the letter is in lowercase.
Where you see [FirstName] in the text, replace it with your actual first name. If you do not
have a first name, then use your last name. Do NOT include any spaces or other non-
alphabetical characters (e.g. “-“).
Submission
Submit two files on Moodle only:
1. The report, based on the answer template, called [StudentID]-report.docx.
2. A ZIP file, called to [StudentID]-files.zip, containing all other files. Do not
include your report in this ZIP file, and do not include any directories. Only include
those files named in the questions. Do not use rar, 7z, tgz or other formats – only ZIP.
https:
www.cqu.edu.au/student-life/services-and-facilities
eferencing
COIT20262 Assignment 2 Questions Term 2, 2019
Advanced Network Security Page 2 of 10
Marking Scheme
A separate spreadsheet lists the detailed marking criteria.
Discuss, Explain, Design Style Questions
A number of questions in this assignment require short, specific answers. These will normally
e marked on co
ectness. That is, if the answer given is co
ect, then full marks, otherwise 0
marks. In some cases, partial marks may be given.
Other questions require more elaborate answers. They typically include words such as discuss,
explain, design, compare or propose. For such questions, to achieve full marks your answer
should not only be co
ect, but also clear and detailed. While your answers don’t necessarily
have to be long (many paragraphs), the level of detail should be similar to that covered in
lectures. Some hints on writing your answers to these style of questions include:
• Use terminology that has been used throughout the lectures. Using non-standard
terminology, or terminology that significantly differs from that in this topic, is an
example of unclear writing.
• Be specific, refe
ing to files, algorithms, keys or other relevant data elements.
• When relevant, use examples to assist your explanation (although don’t use just
examples; give a general explanation as well).
• Including wrong or i
elevant information in your answer will result in low marks. An
answer with multiple wrong/i
elevant statements as well as a co
ect statement, may
eceive 0 marks.
• Don’t rely heavily on images (unless they are asked for). If you do include images, then
draw them yourself – don’t take images from the Internet, textbook or lecture notes.
Virtnet
Questions 1 and 2 require you to use virtnet topology 5. The questions are related, so you must
use the same nodes for all three questions.
• node1: client; assumed to be external from the perspective of the firewall.
• node2: router; gateway between the internal network and external network. Also runs
the firewall.
• node3: server; assumed to be internal from the perspective of the firewall. Runs a web
server with HTTPS and a SSH server for external users (e.g. on node1) to login to. Will
contain accounts for multiple users.
COIT20262 Assignment 2 Questions Term 2, 2019
Advanced Network Security Page 3 of 10
Question 1. HTTPS and Certificates
For this question you must use virtnet to study HTTPS and certificates. This assumes you
have already setup and are familiar with virtnet. See Moodle and tutorial instructions for
information on setting up and using virtnet, deploying the website, and testing the website.
Your task is to setup a web server that supports HTTPS. The tasks and sub-questions are
grouped into multiple phases.
Phase 1: Setup Topology
1. Create topology 5 in virtnet.
2. Deploy the MyUni demo website, with node3 being the real web server.
3. Change the domain name from www.myuni.edu to www.[StudentID].edu by editing
the /etc/hosts file on node1.
Phase 2: Certificate Signing Request
You will need to use the files made available to you for download from Assignment 1.
1. Using [StudentID]-keypair.pem you must create a Certificate Signing Request
called [StudentID]-csr.pem. The CSR must contain these field values:
• State: state of your campus
• Locality: city of your campus
• Organisation Name: your full name
• Common Name: www.[StudentID].edu
• Email address: your @cqumail address
• Other field values must be selected appropriately.
Phase 3: Certificate from CA
Send your Certificate Signing Request file to your Certificate Authority. The method of
contacting your CA will be published on Moodle. You will be issued with a certificate called
[StudentID]-cert.pem from CA (or in the case of an e
or, a response indicating the CSR is
not valid).
Note that there may be a delay of up to 24 hours during weekdays (and 48 hours over the
weekend) for the CA to respond to your CSR. Further details of the process can be found on
Moodle.
Phase 3: HTTPs Configuration
1. Configure Apache web server on node3 to use HTTPS. Remember the domain name
must be www.[StudentID].edu where [StudentID] is replace with your actual student
ID.
2. Load the CA certificate into the client on node1. The CA certificate can be downloaded
from Moodle.
http:
www.myuni.edu
http:
www.%5Bstudentid%5D.edu
http:
www.%5Bstudentid%5D.edu
http:
www.%5Bstudentid%5D.edu
COIT20262 Assignment 2 Questions Term 2, 2019
Advanced Network Security Page 4 of 10
Phase 4: Testing
1. Start capturing on node2 using tcpdump.
2. On node1, use lynx to visit https:
www.[StudentID].edu/grades/ and login to view
some grades.
3. Exit lynx.
4. Stop capturing and save the file as [StudentID]-https.pcap.
Phase 5: Analysis
(a) Add the CSR [StudentID]-csr.pem to [StudentID]-files.zip.
(b) Add the issued certificate [StudentID]-cert.pem to [StudentID]-files.zip.
(c) Add the packet capture [StudentID]-https.pcap to [StudentID]-files.zip.
Assuming an attacker only has access to the packet capture (i.e. traffic between web
owser
and web server – they don’t know about the network structure or that there are only three
nodes), for the following, discuss what the attacker learns and how, or what they cannot learn
and why not. For example, if the attacker can learn the information, explain what is the value
they learn, what packet(s) they learn it from and how. If the attacker cannot learn the
information, then explain why they cannot learn it.
What does the attacker know about the:
(d) domain of the website that the client visited
(e) IP address of the client’s computer
(f) application layer protocol being used between client and server
(g) specific web page a client requested
(h) size of a web page sent by server to client
(i) username and password the client uses to login to the grading system
(j)
owsing behaviour of the web
owser user, with regards to when they navigate
etween pages
(k) encryption algorithm(s) used, if any
(l) CA that the web server uses.
Now consider the role of certificates in this question.
(m) There were two different certificates exchanged between server and
owser. For each
certificate complete the following information.
Information Certificate 1 Certificate 2
Whose public key is included?
What hash algorithm was used in
signing?
Whose private key was used
when creating the certificate?
https:
www.%5Bstudentid%5D.edu/grades
COIT20262 Assignment 2 Questions Term 2, 2019
Advanced Network Security Page 5 of 10
(n) Refe
ing to the certificates, explain how the web
owser is certain that the web server
it is communicating with is in fact the web server for the request domain (i.e.
www.[StudentId].edu).
(o) Explain why self-signed certificates are generally used for CA’s, but not used for web
servers.
http:
www.%5Bstudentid%5D.edu
COIT20262 Assignment 2 Questions Term 2, 2019
Advanced Network Security Page 6 of 10
Question 2. Firewalls and iptables
In this question you will use iptables and virtnet to create a firewall on node2 of the
topology used in the previous questions. node1 is considered external and node3 is internal.
Although there are only 3 machines in the topology, when creating your rules you must assume
there will be more than that. For example, while there is only 1 internal subnet, there may be
more than 2 internal nodes on that subnet (you don’t have to create additional nodes in
virtnet; just design the rules assuming they are there).
Phase 1: Change SSH Server Port
SSH servers by default use port 22. However, the port can be changed by editing the SSH
server configuration file: /etc/ssh/sshd_config. For the change take effect, the SSH server
needs to be restarted with:
sudo systemctl restart sshd
Once the SSH server port has changed, then SSH clients can specify the port using the -p
option, e.g.
ssh -p
Change the SSH server port on