COIS23001 – Network Security - Question 1: Firewall Rule Design

Assessment Item 1 — Assignment 1

Due date:	Friday, 5:00pm (AEST), Week 6
Weighting:	25%

Note: Your assignment must be in Microsoft Word format, and must be submitted electronically by the due date via the Moodle website

Question 1: Firewall Rule Design [10 marks]

The following diagram shows the topology of the network of a small company. There are three servers located in a DMZ (Demilitarised Zone).

The web server can directly accept requests (HTTP or HTTPS) from the Internet or from the internal network.

The DNS server can directly accept requests from the Internet. The DNS server can also directly accept requests from the internal network. However, if the DNS server can not resolve a domain name requested by the internal network, it will contact the DNS servers on the Internet directly for the name resolution.

On behalf of the users on the internal network, the email server sends emails to and receives emails from the Internet. The users on the internal network use IMAP (Internet E-mail Access Protocol) to read and organize their emails on the email server.

The users on the internal network are allowed to access the Internet only for HTTP, HTTPS and FTP services. However, the users of the internal network are never allowed to connect the Internet directly.

Based on the above network configuration and application scenarios, answer the following three questions.

A. The firewall services are installed on the router. Create the firewall rules to implement the packet filtering and only allow the specified traffic. The firewall rules are to be created in the following format.

Rule No.	Application Protocol	Transport Protocol	Source IP	Source Port	Destination IP	Destination Port	Action
1
2
:
:
:

B. Briefly explain each rule in the rule base that you have created.

C. The proxy services are also installed on the router to conceal the users of the internal network (192.168.1.0/25) from the Internet. Suppose that users on the internal computers send the following requests to the Internet. The proxy services perform the Port Address Translation (PAT). Complete the following connection table to show how PAT is working for requests from the users on the internal network.

Packet Addressing on internal network	Packet Addressing on external network
Source IP	Source Port	Destination IP	Destination Port	Source IP	Source Port	Destination IP	Destination Port
192.168.1.2	1033	203.206.209.77	80
192.168.1.2	1035	210.10.102.196	443
192.168.1.5	2301	203.206.209.55	21
192.168.1.5	2302	202.2.59.40	443
192.168.1.5	4123	72.5.124.55	80
192.168.1.8	4128	72.5.124.35	21
192.168.1.8	1033	150.101.16.250	80
192.168.1.9	1035	150.101.16.250	443

Marking Criteria

Parts A & B (6 Marks)

·6 Marks: All rules present and in appropriate order; explanations clear and correct

·4-5 Marks: A few rules missing or incorrect however the explanations justify the intent.

·3 Marks: Passable solution but with a number of missing rules and/or incorrect explanations

·1-2 Marks Most rules missing/incorrect and/or explanations are not correct.

·0 Marks Essentially nothing is correct

Part C (4 Marks)

·1/2 mark per correct table entry

Question 2: PCAP Analysis [6 marks]

For this question, you are to use the extracts from a PCAP file given below.

(a) 4 Marks

Your task is to annotate each packet commenting on the following characteristics.

·Comment on any significant TCP flags and what they mean in the context of the packet capture. Significant flags include SYN, FIN, RST, and URG. You must explain why the flag has been set and what it means for this TCP connection.

·Comment on the direction of each packet (ie. client -> server or server -> client). Be clear to explain in which direction the interaction is occurring.

No.	Time	Source	Destination	Protocol	Info
1	2006-10-03 14:50:19.628169	138.77.36.105	138.77.36.46	TCP	41640 > smtp [SYN] Seq=0 Ack=0 Win=5840 Len=0 MSS=1460 TSV=34790 TSER=0 WS=2
Explanation:
2	2006-10-03 14:50:19.632551	138.77.36.46	138.77.36.105	TCP	smtp > 41640 [SYN, ACK] Seq=0 Ack=1 Win=5792 Len=0 MSS=1460 TSV=285859166 TSER=34790 WS=5
Explanation:
3	2006-10-03 14:50:19.633273	138.77.36.105	138.77.36.46	TCP	41640 > smtp [ACK] Seq=1 Ack=1 Win=5840 Len=0 TSV=34792 TSER=285859166
Explanation:
4	2006-10-03 14:50:19.641368	138.77.36.46	138.77.36.105	SMTP	Response: 220 basil.cqu.edu.au ESMTP Sendmail 8.13.7/8.13.7; Tue, 3 Oct 2006 14:50:19 +1000

(b) Identify the IP address of both the client and the server? 1 mark

(c) What port numbers have been used by each and what is their type? 1 mark

Marking Criteria

(a)1 Mark each explanation

(b) 1/2 mark each IP

(c) 1/2 mark each port

Question 3: Attack and Defence Research [9 marks]

DNS and ARP poisoning attacks are similar; however there are fundamental differences between the two. You are to research these specific differences contrasting the way the attacks are conducted and some of the countermeasures available. Ensure you use at least three in-text academic references to contrast these attacks (include neither your textbook nor Wikipedia in these references. Failure to do so may not give you marks).

Remember that you are not to repeat in your research what DNS and ARP poisoning attacks are. We already know that from our discussions in class. In writing about the differences between the two types of attacks, contrast for example the complexity of the attacks (which one is easy to conduct and why), the impact (consequences) of the attacks, which one is more common and the different mechanisms available to counter the attacks. Write no more than 300 words (about a page including in-text references).

Question 3 Marking Criteria

2.5 Marks for contrasting the complexity of the two type of attacks

2.5 Marks for contrasting the impact (consequences) of the attacks

2.5 Marks for contrasting the countermeasures

1.5 Marks for the format of the writing (referencing, grammar and structure)

General note

Your answers need to be thoroughly documented using in-text reference (Harvard or APA style). Please remember that your assignment will be sent to Turnitin for academic integrity, consequently, it is your responsibility to answer your questions on your own words. Plagiarism will be referred to CQU authorities for investigation and possible academic penalty.