This is a synoptic reassessment of the CE324 coursework for the work covering both

laboratory tests and the Log-book. The marks will consist of two components that map to
the original assessment:

Part 1 40% Basic network security and firewalls

Part 2 40% Network Intrusion detection and Public Key Infrastructure

20% Presentation of the submitted work (including presentation, structure, grammar,

spelling and use of references).

The work is based loosely on the topics covered in the lab assessment for CE324, however,
as you may not have access to the laboratory software it instead requires you to generally
consider equivalent practical scenarios and describe how they operate in theoretical terms.
You do not need to access the laboratory, or other software, to fulfil this assessment. You
will find that referring to the original laboratory material available on Moodle will help you
answer this assessment.

What you will submit:

 A report that describes the components described in detail below. It should be a
formal report, with a formal structure and to include references to text books,
research papers or standard documents in each area described. Web references are
only allowed for documenting sources for software components or tools.

Topology for the assignment

Figure 1. Topology for the reassessment

For the reassessment you must use the same topology as used in the laboratory as shown in
Figure 1.
Part 1: Basic network security and firewalls

Scenario: an attacker has scanned the machine server from client and determined that
server is vulnerable to a remote root exploit in the Samba SMB server. The attacker
breaks into server and then performs a dictionary attack on the password file in
server. As the system administrator of server you will be protecting against this attack
using a firewall in gateway to block the remote root exploit but still allow the serving of
HTTP traffic from server.

In your submitted report you must:

 describe what is meant by scanning in this context, propose one suitable tool that an
attacker or system administrator might use, and describe how this tool works (10%)
 describe what is meant by a remote root exploit giving a real example of one such
remote root exploit and how an attacker may use it (this can be in the Samba SMB
server or any other server tool that you wish to use as an example) (10%)
 describe what is meant by a dictionary attack against the password file and propose
how this attack can be mitigated. Your description should explain what the password
file is and where it is stored in a Linux system. (10%)
 design Linux iptables rules in gateway that allow client (or another
machine connected in the same network as client) to access a standard HTTP server
on server but block any other traffic. Your answer should explain the syntax of
the rules you design and explain how they work to achieve the requirement. (10%)

Part 2: Network intrusion detection and Public Key Infrastructure

Scenario: the computer called server in Figure 1 is to be protected from attack from
systems connected to the same network as client. The protection is to include two
elements: an intrusion detection system running on gateway and transport layer security
(TLS) which means that only authenticated clients can access the HTTP server operating on
server.

In your submitted report you must:

 propose a suitable intrusion detection system that can operate on gateway and
describe how it operates. (10%)
 describe how transport layer security (TLS) can be authenticated using public key
infrastructure. Propose how the HTTP server operating on server can be
configured to provide PKI protected TLS and show the relevant openssl commands
to create all the necessary certificates (ie server, registration authority and
certificate authority certificates). You will find the relevant openssl commands for
this in the original laboratory script (Section 6) which you mays use as a basis for
your answer. (10%)
 propose how the PKI mechanism you have just described can be extended to provide
PKI authentication of the client browser operating on client. Your explanation
should explain why this is not normally used in the Internet. (10%)
 it is required that the intrusion detection system you designed above must also be
able to inspect the TLS encrypted traffic. Assuming that gateway and server are
 managed by the same organisation, design a solution to meet this requirement.
(10%)

Presentation requirements (20%)

Your work must be submitted as a formal report (with title, abstract, numbered section
headings, conclusion and list of references). For each of the eight points that require
description there must be at least one reference to a published piece of work (book or
research paper) that is relevant to the description; this might be a reference that describes
the problem and/or a suitable solution. The formal report should be well presented with
suitable diagrams and examples to support your descriptions and proposals. The report
should have a good standard of spelling and grammar. The report should include an
expanded form of the two scenarios (Part 1 and Part 2) so that your descriptions of each of
the eight points appear in context with the report as a whole.

Marks for presentation:

 5% overall structure
 5% spelling and grammar
 5% appearance
 5% suitable depth, context and clarity of the descriptions.