Advanced Network Security
Referencing Styles : Harvard
Question 1 – Cryptographic Operations with GPG [10 marks]
Objective: gain experience with using software to perform common cryptographic operations.
There are many different software (and hardware) implementations of cryptographic
operations. GNU Privacy Guard (GPG) is one such piece of software, which focusses on a
simple, open source implementation of common public key operations (but also includes
symmetric key encryption). In this task you must use GPG to perform some common operations
to communicate securely with the course coordinator.
GPG is available for most operating systems. You will need to install it on your computer to
complete this task. Chapter 1 of the GNU Privacy Handbook provides examples of using most
of the commands needed for this task. Others may be found in the ‘man’ or help page for the
command once installed.
Scenario: you want to send a message to the course coordinator. You will do that by submitting
a file on Moodle. But you want the communications to be secure (you don’t even trust other
staff that can also access Moodle submissions). You will use symmetric key cryptography to
encrypt the message. But the problem with symmetric key cryptography is that a shared secret
key must be exchanged somehow. A common solution is to encrypt the shared secret key using
public key cryptography. So in fact you will send two pieces of information to the course
coordinator (although in one file): a message and the shared secret key. The course coordinator
wants to be sure the message they receive came from you, therefore you will also sign the
message. This assumes you know the course coordinators public key, which is available on
In the following instructions when you see id in a filename, replace it with your student ID.
For example, if your student ID is s123456, then the message file will be called s123456-
message.txt. Similarly, replace the example names, IDs, emails with yours.
a) Create the message by putting the following inside a text file named id-message.txt:
Name: <include your name here>
ID: <include your ID here>
Email: <include your email here>
<Write one or more paragraphs that explain which software used
in the assignments is the hardest to use, and why. This is not
assessed but is useful feedback.>
b) Create a shared secret key by generating a 12 byte random value encoded as base64.
Put the 16 character base64 value in a file called id-sharedsecret.txt. Hint: use gpg
to generate the random bytes, and include the –armor option to encode as base64.
c) Generate your own RSA 2048-bit key pair. Include your name and CQU email address
when prompted. For simplicity in this assignment, do not use a passphrase on your key
(if you do, make sure you remember it).
d) Export your public key and save it to a text file called id-publickey.txt. Use the —
armor option to generate a text based public key.
e) Create a detached signature of the message, saving that signature as id-message.sig.
f) Combine the message (id-message.txt) and signature (id-message.sig) into a
single file called id-signedmessage.zip) using ZIP. Do not include any directories
or other files in the ZIP file – it should contain just two files.
g) Use AES128 to encrypt the zip file. When prompted for a passphrase, use the 16
character shared secret generated earlier. The output file is called idsignedmessage.enc.
h) Use RSA to encrypt the shared secret. The output file is called id-sharedsecret.gpg.
i) “Send” the two encrypted files to the course coordinator by submitting on Moodle. Also
“publish” your public key by submitting on Moodle.
In your assignment for this question include the list of GPG commands you used in each step
above, and with each command, a short explanation of what it does (including what the options
do). If a step did not use a GPG command, then just explain what you did in that step.
Once files are submitted, they will be decrypted/verified using the reverse operations of what
you were expected to do. If your files successfully decrypt/verify, and the obtained plaintext
files are in the correct format, you will receive 7 marks. If the commands are listed and
explained correctly in your assignment submission then you will receive an additional 3 marks.
If the explanations are incorrect or do not explain options, then you will be deducted 1 to 3
marks (e.g. receive 7, 8 or 9 out of 10 in total).
If your files do NOT successfully decrypt/verify, then your list and explanation of the
commands will be reviewed to determine what mistakes you made. For each mistake you will
be deducted 3 marks. For example, if you make one mistake but all your other commands and
explanations are correct, then you will receive 7 out of 10. Two mistakes will receive 4 out of
10, and so on. Additional marks may be deducted (up to 3) if your explanations are incorrect
or do not explain options.
Question 2 – Secure Web Browsing
Question 2 – Secure Web Browsing with HTTPS [16 marks]
Objective: understand basics of HTTPS protocol operation, format of digital certificates, and
role of different ciphers in Internet communications.
For secure web browsing HTTPS is used. HTTPS is essentially HTTP on top of Secure Sockets
Layer (SSL). However over time SSL has been upgraded to various versions, and renamed to
Transport Layer Security (TLS). TLS1.0 was very similar to SSL3. TLS1.1 saw significant
changes and separation from SSL3. Now TLS1.2 is recommended for use, and SSL3 and earlier
no longer considered secure. Despite the differences, you will often see SSL and TLS used
interchangeably. In the following we will refer to SSL, but be aware it means TLS in many
How does SSL work? Your task is to find out. As a starting point, SSL uses a Record protocol
to deliver different SSL messages between client and server. At the start of a SSL connection
a Handshake Protocol is used. After the handshake is finished, encrypted application data is
sent. After the data is sent, an encrypted Alert message may be sent to notify the close of the
SSL connection. One or more HTTP exchanges may be performed in a single SSL connection.
The file a02-assignment-2-question-2-capture.pcap includes packets for several HTTPS
exchanges from a single web browser to a single website.
a) [4 marks] Draw a message sequence diagram that illustrates the SSL packets belonging
to the first TCP connection in the file. Refer to the instructions in assignment 1 for
drawing a message sequence diagram, as well as these additional requirements:
– Only draw the SSL packets; do not draw the 3-way handshake, TCP ACKs or
connection close. Hint: identify which packets belong to the first TCP
connection and then filter with “ssl” in Wireshark. Depending on your
Wireshark version, the protocol may show as “TLSv1.2”.
– A single TCP packet may contain one or more SSL messages (in Wireshark
look inside the packet for each “Record Layer” entry to find the SSL message
names). Make sure you draw each SSL message. If a TCP packet contains
multiple SSL messages, then draw multiple arrows, one for each SSL message,
and clearly label each with SSL message name.
– Clearly mark which packets/messages are encrypted.
b) Considering the first TCP connection only, answer the following questions.
You must explain the reason for your answer by referring to specific parts of the
capture. For example, “The answer is X as field Y in packet number Z shows that …”.
i. What is the domain of the website that the web browser visited?
ii. What symmetric key cipher was used for encrypting the data?
iii. What public key cipher was used for exchanging a secret?
iv. What cipher and what hash algorithm are used in signing the web servers
v. How many HTTP requests do you think were exchanged in the first SSL
c) [3 marks] The user of the web browser typed in a URL containing some domain (answer
in question (b) i.). Explain how the web browser knows it is communicating with the
server of that domain (and it is not a server pretending to be for that domain). Refer to
the specific messages/fields in the capture and the names of the organizations/entities.
d If you were using your browser to visit the same webpages as in the capture
(assuming it is a real website and you have access to it), do you think your web browser
would present any warnings or errors? Explain your answer.
e) In the second and third TCP connections in the capture, the web browser is
continuing to access webpages on the same website, but notice the SSL connection
handshake has fewer SSL messages than the first TCP/SSL connection. Explain the
tradeoffs of doing this (i.e. the advantage and disadvantage of the shortened subsequent
handshakes) and how it is achieved (refer to fields in the captured packets).
Question 3 – Securing a Small Network [9 marks]
Objective: be aware of security features available in WiFi networks, how to deal with threats,
as well as password management.
Scenario: After graduation, you and 10 of your classmates have formed a startup to
commercialise an idea based on your expertise gained from your degree. You have rented a
large house where everyone will work together, trying to rapidly turn the idea into a proof-ofconcept
and eventually marketable product. You are confident in your idea and plan, and expect
if you can quickly get to market, your product will be worth millions of dollars, and may result
in a buyout from the likes of Google, Facebook, etc.
You expect to have 10 to 15 others work with you, either temporarily or full-time, over the
next few months. The house you are using as an office will also have regular visitors: friends
and family, advisors, potential clients and funders, … .
Your network contains several servers and desktops, but primarily everyone works with their
own laptop, tablet and phone (they are personal devices of many different types and using
different operating systems), and use cloud computing for many non-critical services (email,
messaging, non-confidential file storage). The key Intellectual Property is in the form of files
(e.g. designs, code, graphics) and is stored on internal servers. The house has two Internet
connections: NBN as well as an ADSL2 line. Although there is a wired Ethernet network
connecting the desktops and servers, most users will use WiFi.
Despite your big plans, you have little income, and cannot afford people dedicated to network
administration. Therefore you have been assigned the initial task of setting up the WiFi
network, as well as producing a set of recommendations for securing the network. You already
have 6 consumer-grade WiFi routers (e.g. TP-Link Archer C series) installed across the house.
They provide coverage for most of the area, but there are some dead-zones outside and in some
rooms. You don’t have the budget or time to deploy dedicated authentication servers: you want
to setup the WiFi routers, and then spend little or no time administering them over the coming
Consider the security of the WiFi network. You want to set it up so startup members can use
the network, but also provide access to visitors and temporary workers. Although you are a
small, new startup, your Intellectual Property is potentially very valuable, so different attacks
on your network are likely.
a) [3 marks] Explain what technologies/settings you will use in securing the WiFi
network. Refer to specific technologies/settings and explain why you would use them.
For example, “On every WiFi router enable feature X. The reason for doing this is …”.
As an example of the features available on WiFi routers, see the emulation website for
TP-Link devices: http://www.tp-link.com/en/emulators.html
Despite the members of the startup having little time to worry about network security, they all
realise that with the value of their Intellectual Property, network security is important.
Therefore they will listen to and follow any recommendations you make in using the internal
b) [3 marks] Provide a list of recommendations for the startup members in using the
internal network. The recommendations are things the users should or should not do to
ensure the internal network is secure. For each recommendation give a concise
description, explain the reason for the recommendation, and explain any potential
disadvantages or weaknesses of following the recommendation. For example,
“Recommendation 1: Never do X. The reason is because of Y. The drawback of this is
that you won’t be able to do Z.” (This is just a short example; the recommendations
may be longer, more detailed).
Now consider the external networks, and especially how the startup members use many
different cloud services (e.g. Google Docs, Facebook, Twitter, Slack, AWS, …). Each member
may have accounts on many different services, and may want to login to those accounts from
their own devices (laptop, tablet and phone), as well as other devices (e.g. shared desktops,
temporarily using someone else’s laptop).
c) Provide a list of recommendations for the startup members in managing
(including creating) their passwords and authentication information. For each
recommendation give a concise description, explain the reason for the
recommendation, and explain any potential disadvantages or weaknesses of following
Question 4 – Intrusion Detection with Snort [9 marks]
Objective: gain experience with using Snort and with identifying/analysing packet traces
You are the administrator for a network that has users exchanging files using various approved
server applications (HTTP and SSH). You have discovered that image editing software used in
the organisation has a bug such that JPEG image files may trigger malicious behaviour when
opened. As one method to minimise the impact of the bug, you have configured the servers to
monitor any JPEG files transferred. However you believe some users are exchanging images
using other, unapproved, applications. Therefore your task is to identify in real-time which and
when users are exchanging JPEG files using unapproved applications. You will use Snort to
alert you of such exchanges.
Your task: write Snort rules that alert you of the start of an exchange of a JPEG file that does
not involve HTTP or SSH. The rules should be clearly commented. The file a02-assignment-
2-question-4-capture.pcap is a trace of the packets exchanged in the network. Use it as an
input to Snort to complete this task.
Requirements and Hints:
The computers and ports of the approved HTTP and SSH servers may vary. Therefore,
as they may change over time, you CANNOT use IP addresses or port numbers to alert
you to an unapproved exchange.
Other file formats exchanged using unapproved applications (non-HTTP, non-SSH) are
not of interest to you. You only want to be alerted about JPEG files.
The file a02-assignment-2-question-4-capture.pcap was obtained on a nonstandard
system that resulted in some erroneous packet checksums. Therefore you
MUST use the “-k none” option with Snort to disable all checksum checks.
Print the following message when an unapproved JPEG exchange is initiated:
Exchange of JPEG file using unapproved application
ï‚· As a hint, there are 5 unapproved JPEG exchanges.
Answer the following sub-questions:
a)Submit your Snort rules as a single file called id-snort.conf (replace id
with your student ID). Make sure the rules are clearly explained via the comments in
the file. Your file will be tested with the following Snort command:
snort –k none –c id-snort.conf –r a02-assignment-2-question-4-capture.pcap
The alert file produced should contain 5 messages, and the log file produced should
contained 5 packets.
b) Explain one method that a malicious user could use to avoid detection by
c) For the 5 alerts, find the actual JPEG images that were exchanged. Hint: you
don’t have to use Snort to get this answer. You may use Wireshark or other software,
however the answer must come only from the capture file provided. For your answer,
include the 5 images in your assignment report (do NOT submit the JPEG files on
Moodle; just embed them in your report) and explain how you obtained them.
a) To obtain 5 marks your Snort rules most return the correct 5 packets using correct
conditions (e.g. not using IP addresses, but using conditions that would work for other
traces) and have comments that explain the rules. No or poor comments, but correct
rules, will result in a score of 2 to 4 marks. Incorrect rules (using the wrong conditions,
not matching the correct packets) will result in a score of 0 to 3.
b) The method must be realistic within the context of the scenario and well explained to
obtain 2 marks.
c) If all 5 images are included in the report and the method is appropriate you will obtain
2 marks. Including the images with no or poor explanation will result in 0 or 1 mark
(depending on part a) answer).
Question 5 – Firewall Rules
Objective: understand firewall rules and the importance of consistency and ordering.
Consider a firewall configured with the following rules:
) Describe the meaning of a rule conflict. Identify all conflicting rules in the
b) Identify any redundancies in the table, and for each, explain which rule would
be applied if using each of the following 3 matching strategies: first, best, last. For
example, if you identify a redundancy, then state which rule would be applied if first
matching was used, then state which rule would be applied if best matching was used,
and then for last matching. Repeat for other redundancies.
Title: Advanced Network Security