Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
Community
Ask the community for help and clear up your study doubts
Discover the best universities in your country according to Docsity users
Free resources
Download our free guides on studying techniques, anxiety management strategies, and thesis advice from Docsity tutors
Answers and comments for homework 7 in an information assurance course. It discusses how attackers can use arp and dhcp to gain a man-in-the-middle position and how encryption can mitigate this problem. It also includes instructions for using ssh, nmap, and telnet to discover and analyze network information.
Typology: Assignments
1 / 5
Due November 14, 2007.
a. From this machine, use nmap to discover what is running on the 192.168.50.0/24 network. Use the -A flag to get additional information. Submit the nmap output. b. Try to fingerprint a service directly using telnet. Assuming that nmap reports one of the other machines is hosting a web server, use “telnet
a. Analyze the current architecture and identify three potential threats that could affect confidentiality, integrity, or availability for him, his customers, or the surrounding community Potential threats:
b. Update the original architecture to address the threats you identified in part A plus any additional changes you feel would be beneficial. Describe how your changes improve network security. There are a variety of new network architectures possible. The new architecture should introduce changes to directly address threats identified in part A Introduce a basic firewall after the cable modem. Block all (or nearly all) incoming traffic. Introduce address translation. Presumably, the original design already had address translation someplace. It is unlikely that the coffee shop owner would have paid for a large number of routable addresses. Adding WPA would address the problem of random individuals taking advantage of the network connection for undesirable behavior, but it would degrade the experience for legitimate customers. If the shop owner isn't willing to turn on WPA, he should invest in some intrusion detection software and watch and act upon the results. The design should have a segmented network. The office machine and the point of sale machine should be on a separate network from the wireless network. There probably should be some filtering between those two networks. You probably do not need any communication between those two fixed computers and the wireless network. The single office computer should be replaced with several computers to help prevent a domino effect if a exploitable vulnerability is found in one of the applications. Perhaps virtualization software could be use to better isolate applications with out the cost of additional hardware. Addressing the denial of service attacks is a bit more difficult. If the attacker is working from a single machine or a fixed set of machines, you could block access by MAC address, but the savvy attacker is likely varying his MAC. You could incorporate QoS to limit the bandwidth used by an individual address.
My answers would be A and Y – On the inside network, you cannot statically constrain packets of expected services. You may not know enough about current address assignments to traffic filter on an employee by employee basis. Some protocols with many known attacks (like netbios) might be needed internally. With IDS, you could allow netbios but look for and react to odd behavior on that protocol. With packet filtering and application firewall, you have more fixed constraints. An intrusion detection device could in theory detect and notify you of unusual characteristics of otherwise allowable traffic (e.g., a sudden burst of traffic accessing the departmental design file server. B and W – At the entry point of the network, you want to make sure that you don't slow things down much. If there are known bad addresses or very clear rules about services that aren't accessible from the outside (like netbios), a packet filter can quickly drop obviously bad packets. By eliminating these packets early, you reduce the workload on the rest of the network. As many of you noted, this won't catch all the bad traffic, but it reduces the workload on the IDS device. The IDS would also work in general. However, if you know that all traffic from a particular address is suspect, the IDS will likely allow in some traffic from that address if it does not detect a problem. C and X – To filter for bad web sites and scripts, the tool must have access to the HTTP application level data. This is not available in the packet filter. Since you are filtering for a fixed set of bad things, the intrusion detection would be overkill. The application firewall completely reconstructs the layer 7 stream, so this is the best place for filtering for fixed characteristics for that layer 7 traffic.