Scribd Logo
Upload

Welcome to Scribd!

  • 2017 Ce 823

    Uploaded by

    Hero Nakamura
    123 views5 pages
    Network Security and Cryptographic Principles

    Original Title

    2017ce823

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Network Security and Cryptographic Principles

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    123 views5 pages

    2017 Ce 823

    Uploaded by

    Hero Nakamura
    Network Security and Cryptographic Principles

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 5

    CE823-7-SP

    UNIVERSITY OF ESSEX

    Postgraduate Examinations 2017

    Network Security and Cryptographic Principles

    Time allowed: TWO hours

    Candidates are permitted to bring into the examination room:

    Calculator – Casio FX-83GT PLUS or Casio FX-85GT PLUS only

    The following items are provided:

    Graph paper (available on the invigilator’s desk)

    The paper consists of FOUR questions.

    Candidates must answer ALL questions

    Questions are of equal weight.

    The percentages shown in brackets provide an indication of the proportion of the total marks for
    the PAPER which will be allocated.

    Please do not leave your seat unless you are given permission by an invigilator.
    Do not communicate in any way with any other candidate in the examination room.
    Do not open the question paper until told to do so.
    All answers must be written in the answer book(s) provided.
    All rough work must be written in the answer book(s) provided. A line should be drawn through
    any rough work to indicate to the examiner that it is not part of the work to be marked.
    At the end of the examination, remain seated until your answer book(s) have been collected and
    you have been told you may leave.
    CE823-7-SP 2

    Question 1

    A new company, that does most of its business through online sales, has asked you to design the
    company network architecture with regard to security features. The company network has the
    following requirements:

    • the network is to reside in a single campus

    • a web server provides the online sales presence

    • customer records including sales and credit-card information must be securely stored

    • 1000 client workstations are used by company workers in the campus and require general
    Internet browsing as well as dealing with customer records

    • it must provide internal and external email communication

    • it should have the ability to share files using shared file storage

    • it should provide general network support services such as DNS.

    (a) Design a network architecture that meets the requirements above. Your answer should not [17%]
    give details about servers or firewalls other than to describe their connectivity and purpose
    to support the secure operation of the network.

    The company is concerned that a secure architecture alone is not enough to protect the
    online-shop from external attack. The online-shop has been supplied, by a reputable provider, as
    a standard web-application that is modified for each company to incorporate the company stock
    list, logos and other company specific information. For business reasons, the company does not
    want to employ software developers to create or test security in the web-application itself, but
    wants to ensure the secure operation of the online-shop using an off-the-shelf solution.

    (b) Propose a solution to add additional protection for the online shop web-application and [8%]
    briefly describe how it operates.
    3 CE823-7-SP

    Question 2

    You are to write firewall rules for an organization’s external firewall. The firewall has only two
    interfaces: the external interface connects to the Internet, the internal interface connects to the
    internal network of the organization that is to be protected. The firewall is a stateless packet
    filtering firewall. The company’s internal network consists of:

    • a single IP subnet 155.245.1.0-255

    • the internal router interface address using 155.245.1.254

    • staff workstations using addresses 155.245.1.1-251

    • EmailServer, a SMTP server using address 155.245.1.253 and listening on port 25

    • FileServer, a network attached storage (NAS) using address 155.245.1.252, listening on


    TCP port 445

    The firewall policy requires:

    • staff workstations should be able to access HTTP servers in the Internet but no other
    Internet services

    • home workers can access FileServer from their home Internet connection

    • EmailServer should be able to send and receive email

    • all other traffic is to be blocked.

    (a) Design the firewall rules that meet the firewall policy above. Your answer does not need to [18%]
    be in the format of any particular firewall system but should describe the required firewall
    rule parameters. Every firewall rule must have a description that explains the fields.

    After specifying the firewall rules, you inform the company that the FileServer NAS is not
    secure over the Internet as it using a simple password hash for security and is also a frequent
    source of vulnerabilities due to infrequent software updates.

    (b) Briefly propose a solution that allows the home workers to access FileServer in a secure [7%]
    manner and explain why it is secure.
    CE823-7-SP 4

    Question 3

    The connection to a company’s database server is to be protected using the advanced encryption
    standard (AES). A large number of clients use the database and they authenticate with the
    database server through a secure password exchange mechanism. The designer of the system is
    aware that there is a problem with key-distribution using a symmetric cipher such as AES.

    (a) Propose a suitable key-distribution mechanism. Describe how it operates and how it is used [9%]
    by AES.

    (b) Explain why it is vital that, in addition to the client authentication, the server is properly [6%]
    authenticated.

    (c) Given that there are a large number of clients required to connect to the database server, [10%]
    propose and briefly describe a suitable mechanism to authenticate the server.
    5 CE823-7-SP

    Question 4

    (a) Kerberos consists of a number of different components, state and briefly describe these [6%]
    components

    C AS

    1: IDc

    2: E(Kc , KS )

    3: TT GT = E(KT GS , IDc |Ac |∆v |Ks )

    Figure 1

    The first three messages in a Kerberos v4 communication are shown in Figure 1 with
    abbreviations for the common terms. The diagram omits some of the other Kerberos
    components that are not involved in these first three messages.

    (b) Name and briefly describe the fields in each of the messages shown in Figure 1 with regard [11%]
    to the components you described in Part (a) and the security features that they perform.

    (c) Describe an attack that is possible against the Kerberos messages you have described in Part [8%]
    (b) and propose a solution against this attack. You should describe any security limitations
    to the solution that you propose.

    END OF PAPER CE823-7-SP

    You might also like