Description of this paper

Final Exam ? CSEC 640




Question;Final Exam ? CSEC 640;Name;Note;This test;is open book and open note. All work, however, must be your own. You are not allowed to discuss this exam with;anyone else.;Points;will be awarded or deducted based upon;The;answer displays a sound understanding of the subject matter and course;material.;The;support used in the answer corresponds to the information sought in the;question;The;explanation displays a sound and thorough understanding of the matter in;question.;The;answer reflects the student?s own thoughtful consideration of the;material. You may quote and reference other sources if you like. If you;do, please cite your sources and include a bibliography with your;answer.;Partial;credit will be given as appropriate. Do not leave any problem blank. Many;questions have no right or wrong answers. If you encounter a problem that;you don?t know the answer, make a logical guess (I would like to see how;you think and react).;1.;[16 points total, TCP/IP];a. Unlike;IP fragmentation (which can be done by intermediate devices), IP reassembly can;be done only at the final destination. What problems do you see if IP;reassembly is attempted in intermediate devices like routers? [8 points];Answer;b. Let?s assume that Host A (receiver);receives a TCP segment from Host B (sender) with an out-of-order sequence;number that is higher than expected as shown in the diagram. Then, what do Host;A (receiver) and host B (sender) do? [8 points];Answer;2. Describe or propose a way to detect ARP spoofing attack. What could;be a possible weakness in your proposed method? Please do not discuss any;prevention method (e.g., port security is an example of a preventive method). [8;points];Answer;3.;[Wireless LAN Security-WEP] What is the main difference between the FMS;attack and Chopchop attack? Clearly explain your answer [8 points];Answer;4. A huge enterprise decides to use a symmetric;encryption to protect routing update messages between its own routers (i.e. entire;routing update messages are encrypted by a strong shared symmetric key). They;think this will prevent routing table modification attacks. Do you think their;decision is appropriate? Do you see any problems or issues with their decision?;[10 points];Answer;5. An ACK scan does not provide information;about whether a target machine?s ports are open or closed, but rather whether;or not access to those ports is being blocked by a firewall. If there is no response;or an ICMP ?destination unreachable? packet is received as a response, then the;port is blocked by a firewall. If the scanned port replies with a RST packet;then ACK packet reached its intended host. So the target port is not being;filtered by a firewall. Note, however, that port itself may be open or closed.;Describe a rule (or a set of rules) that;could be used by Snort to detect an ACK scan. Cleary express your assumption;and explain your rules. Do you think Bro can do a better job detecting an ACK scan?;Explain your answer. [15 points];Answer;6. Explain the main difference between SQL;injection and XSS attacks. [10 points];Answer;7. As shown in the above diagram, Kevin, the;system admin, installed a text-message sender and a text-message receiver in a;Multi-Level-Secure (MLS) environment. In the MLS environment, two security;levels exist (i.e., Unclassified (Low) and Classified (High) levels). His goal;is to enforce the Bell-La Padula (BLP) access control model in the network. In;a nut shell, the BLP model defines two mandatory access control rules;No Read Up Rule: a subject (Low) at a lower security level must;not read an object (High) at a higher security level. Simply, a Low entity;cannot have read-access to a High object.;No Write Down Rule: a subject (High) at a higher security level;must not write to any object (Low) at a lower security level. Simply, a;High entity cannot have a write-access to a Low object.;In this scenario, enforcing the BLP model;means no confidential information flows from Classified LAN (High) to;Unclassified LAN (Low). However, information can still flow from Unclassified;LAN to Classified LAN.;To achieve his goal, he configured both;text message sender and receiver as follows;The text;message sender is configured to send a text message to the text message;receiver via TCP/IP protocol.;The text;message receiver is configured to receive a simple text message from the;sender via TCP/IP protocol.;The;following IP/port is given to each;machine;Text;message sender: and port 9898 is open;Text;message receiver: and port 9999 is open;A text message is allowed to be sent only;from port 9898 of (sender) host to port 9999 of;(receiver) host.;Part A) As you can see from the diagram;above, the text message sender and receiver have been compromised by the;adversary and the Trojan, respectively. However, the router with Snort IDS;installed (router/snort) is securely protected and can be fully trusted.;Write efficient Snort rules and access;control lists which will be implemented on the router/snort to detect or block;confidential information leakage from High to Low. Write your rationale for;writing your rules and access control lists.;For example, if the text message receiver (Trojan at High LAN) attempts;to send a text message (confidential information) to the text message sender;(the adversary at Low LAN), the attempt will be either blocked by your access;control list(s) or detected by your snort rule(s).;Do not write more than 5 rules and lists in;total. At least one access control list must be included. [15 points];Hint: Access control lists are discussed in;Module 10 and snort rules are covered in Module 7 as well as Lab2. To see more snort options, please refer to;chapter 3 of Snort User Manual 2.9.1 by the Snort Project (link:;Answer;Part;B) Describe a way for the Trojan to covertly transmit 4 characters (e.g., A, B;C and D) to the adversary without being detected or blocked by your rules and;access control lists provided in Part A.;[9 points].;Answer;8. [topic: IPsec VPN] What do you think are;the advantages & disadvantages of using both AH and ESP protocols on the;same end to end IPsec connection (transport mode)? In addition, it is;recommended that the ESP protocol should be performed before the AH protocol.;Why is this approach recommended rather than authentication (AH) before;encryption (ESP)? [9 points];Answer


Paper#36374 | Written in 18-Jul-2015

Price : $39