FREE ELECTRONIC LIBRARY - Dissertations, online materials

«1. What is an insertion attack against a NIDS? Answer: An insertion attack against a network intrusion detection system is when an attacker ...»

Final exam review, Fall 2005

FSU (CIS-5357) Network Security

Instructor: Breno de Medeiros

1. What is an insertion attack against a NIDS?

Answer: An insertion attack against a network intrusion detection system is when an attacker successfully eludes attack detection (for instance, attack signature recognition) by making the NIDS

reconstruct a packet sequence including a packet that will be discarded, or not reach, the target.

2. How may the do not fragment flag in a IP header be exploited to enable an insertion attack?

Answer: A do not fragment IP packet can be discarded by a router if the length of the IP packet is too long for routing in the next physical network. If the NIDS does not know that the packet will be dropped (ignoring network topology), it may consider the packet as part of the sequence reaching the host.

3. Explain an evasion attack against a NIDS.

Answer: An evasion attack against a NIDS is when an attacker eludes detection by making the NIDS reconstruct a packet sequence that does not include a packet that will be accepted by the host.

4. How may an attacker use a bad UDP checksum to exploit the NIDS via an evasion attack?

Answer: For instance, if the host does not discard UDP packets with incorrect checksums, but the NIDS does, the attacker can send such a packet.

5. How may IP fragmentation be used to implement a denial-of-service attack against a NIDS?

Answer: In order to reconstruct the data stream, NIDS must in particular, reconstruct IP packets by collating IP fragments. In a denial-of-service attack against the NIDS an attacker can initiate transmission of IP packets and never send at least one fragment. If the number of fragmented packets sent by the attacker is large enough, the NIDS will run out of buffer memory to keep the incomplete IP packets.

6. What is the difference between a stateless vs. stateful firewall?

Answer: A stateless firewall does not keep information about existing connections, TCP sequence numbers, and other information. It analyzes packets independently, not as part of the packet sequence.

7. May a stateless firewall blocks TCP connection initiation requests to some local host, but allow returning traffic to flow to existing connections initiated by the local host to an external host?

Answer: Yes. The firewall filters out SYN-packets to the local host, but allows SYN-ACK and other packets to flow through.

8. May a stateless firewall prevents against all probing a specific port without preventing all communication to that port? Why or why not?

Answer: No. The reason is that, if any traffic is allowed to the port in the host, a probe may send a packet as packet as if belonging to a previously existing connection. Since the firewall is stateless, and has no knowledge of actual existing connections, it must allow the packet as genuine. This will cause the host (if listening at that port) to send a

9. Suppose a host-based firewall on a server keeps state for existing TCP connections—i.e., it tracks the state of TCP handshakes and only allow non-handshake packets on established connections. It must create a “SYN-received/SYN-ACK sent” queue until it sees a responding “ACK.” Since the firewall queue is finite, it can be overwhelmed by a SYN-flood attack in which an attacker node sends many requests (SYN packets) under spoofed IP addresses, to cause the firewall to run out of queue space. What will happen if, when the firewall runs out of queue space, it blocks further SYN packets?

What will happen if, when the firewall runs out of queue space, it stops enforcing the restriction on non-handshake packets? Explain why an ACK time-out strategy will not work to solve this problem.

Answer: In the first case, the firewall will cause a denial-of-service attack on the server by dropping any further connection requests. In the second case, the firewall will loose the ability to enforce the restriction of not accepting non-handshake packets on non-established connections, since it will no longer have knowledge of the set of established connections. An ACK time-out strategy will not work against a large attack. An attacker can generate enough SYN packet to make sure the buffer is filled up before the first ACK time-out takes place.

10. What is a dual-homed host?

Answer: A dual-homed host is a computer with two network interfaces, each connected to a different network. The dual-homed host routes packets from one network to the other, and can implement complex filtering rules.

11. What is a perimeter network? Name its important components.

Answer: A perimeter network stands between the Internet and the internal network. Important components are the external router—connecting the perimeter network to the Internet, the internal router—connecting the perimeter network to the internal network, and bastion hosts—nodes of the perimeter network.

12. What types of network services are often placed at bastion hosts and why?

Answer: DNS, Web, FTP server, and other servers destined to external users. These servers are highly visible and placing them at the internal network puts stress on the internal router, which often implements more complex filtering rules than the external one.

13. Fill in the blanks.

(a) A machine which provides services to Internet clients is highly visible and therefore a likely attack target. These machines are reinforced with a high level of host-based security measures. Because of these, they are called bastion hosts.

(b) Some organizations have to segment their network in several components because they need to deploy machines with different security requirements. The boundaries between these networks need to be separated by screening routers which implement internal firewalls.

(c) A screened subnet firewall architecture is characterized by a perimeter network, which stands between the Internet and the internal network.

(d) Network intrusion detection systems (NIDS) are vulnerable to several different types of attacks.

Some attacks exploit differences between the IP protocol implementation of the NIDS and the end system. For instance, an attack that fools the NIDS into believing that the end system will drop a packet when in fact the packet will be accepted is called an evasion attack, and might prevent the NIDS from recognizing an attack sequence directed at the end system.

(e) A denial of service attack on a NIDS directly impede the NIDS from carrying out its functions by forcing it to run out of resources. For instance, such an attack can proceed by sending only some fragments of many IP packets, forcing the NIDS to accumulate all such fragments and exhaust its memory.

14. The security of the RSA cryptosystem is based on the hardness of computing {roots, primes} modulo a composite number whose {factors, exponents} are unknown.

15. Describe the format of the public and private keys of the RSA cryptosystem.

Answer: The public key is a composite n and an exponent e. The private key is a pair of primes p, q such that n = pq, and d is an exponent such that ed = 1 mod φ(n).

16. What is the value of the Euler function φ(n) for n that is the product of two primes p and q?

φ(n) = (p − 1)(q − 1).


17. Is it safe to reveal the value of φ(n) corresponding to the public modulus of an RSA encryption scheme?

Answer: No. From knowledge of φ(n) the factors of n can be computed.

18. If M is a message, and E = Encode(M ) is a secure encoding of M as an integer in {0,..., n − 1}, what is the value of the public key encryption of M using RSA public key (n, e)?

–  –  –

Answer: It is a type of man-in-the-middle attack where the goal of the attacker E is to have the two parties A and B compute the same key but bind the key to different identities.

20. Cite three goals of the IKE protocol.

Answer: Privacy of the computed key against active goals (including man-in-the-middle attacks), key binding consistency, and optional identity privacy of the communicating parties against eavesdroppers.

21. Explain how the IPSec Transport mode works.

Answer: The packet header of the original IP packet is duplicated, followed by an appropriate IPSec header, and the (possibly encrypted and authenticated) payload.

22. Explain how the IPSec Tunnel mode works.

Answer: The entire IP packet (header and payload) is made into an (possibly encrypted and/or authenticated) payload and a new IP header and IPSec header are created.

23. A corporation establishes gateways GW1 and GW2 at different branches. They enable machines in different branches to communicate securely over the Internet by implementing IPSec at the gateways only. That means that when a machine A inside the first network sends an IP packet to a machine B in the second network, the gateway GW1 intercepts the IP packet in transit and encapsulates it into an IPSec packet. At the other end, GW2 recovers the original IP packet to be routed in the second network to machine B. Which of the IPSec modes, tunnel or transport, and AH or ESP, should be used if it was desired that no Internet eavesdroppers learn about the identities A and B of the communicating parties.

Answer: If the identities of the communicating parties must be kept secret (protection against traffic analysis), then tunnel mode with encryption (ESP) should be used. In this case, the original IP packet header (which identifies source and destination machines) is encrypted and sent as payload. The new IP header will only show GW1 and GW2 as the source/destination pair.

24. Why is the authentication header (AH) mode of IPSec incompatible with network address translation (NAT) schemes?

Answer: The authentication header includes several fields of the IP packet header that need to be modified by NAT boxes, and which cannot be guessed at the destination. For instance, if the source address is translated to the NAT box address, the receiver can only guess at the original private IP address of the sender. In other words, the receiver cannot verify the integrity of AH-authenticated packets that has been translated.

25. SSL is vulnerable to denial-of-service attack called the rogue packet problem. This attack exploits the fact that SSL runs above the TCP networking protocol. Corrupted SSL payloads that still pass the lower-level checksum will not be re-transmitted and will cause the SSL connection to fail.

26. Describe the rogue packet attack against SSL.

Answer: The rogue packet attack is a traffic injection attack. The attacker sniffs traffic between sender and receiver and creates a valid TCP packet for the connection—in the sense that it has a correct sequence number and TCP checksum. The packet will be accepted at the destination by the TCP layer, but rejected by the SSL layer. Since SSL cannot trigger a re-transmission of packets (it does not implement a reliable transport mechanism, but depends on TCP for that), the packet becomes permanently lost. This results in an improper SSL connection state that will probably cause the connection to fail.

27. Why is the rogue packet problem a serious denial-of-service attack threat to SSL?

Answer: For two reasons. (1) It is easy to mount, requiring only an attacker’s ability to sniff traffic close to the targeted server. (2) It causes existing SSL connections to fail. SSL connection initiations require expensive RSA decryption operations, so if SSL connections need to be frequently re-established, the server will be overwhelmed by the cryptographic workload.

28. In SSL, the secret used to generate the session keys is chosen by the { client, server } and sent to the server using { RSA, Elgamal } encryption. In IKE, both client and server generate random contributions to the session key by engaging in a { Diffie-Hellman, DSA } key agreement protocol. The latter is potentially more secure, because if either of the parties has a strong { cryptographic suite, random number generator }, the privacy of the session key is guaranteed.

29. Both SSL and IPSec negotiate their cryptographic algorithms at the beginning of the session establishment dialogue. Could this be exploited by a man-in-the-middle adversary to force the parties to agree on a weak cryptographic suite even though both parties support a common (preferred) strong suite?

Answer: In SSL v.2, this can be exploited. A man-in-the-middle can intercept the client message specifying the set of suites supported, and remove from it all strong suites. If both the server and client support the same weak suite, than the agreement will succeed with some weak suite being chosen. In IPSec and SSL v.3, this is not possible, because the protocol later uses the negotiated authentication key to belatedly verify the contents of all messages sent during the session establishment dialogue.

Here, one can make the reasonable assumption that, even for the weak suites, it is infeasible for an adversary to break the session authentication key in the short window of time required to forge correct answers to the verification step, which immediately follows the derivation of session keys.

30. Why some protocols such as SSL uses different keys for client authentication and server authentication, even though both could be use the same key with the HMAC?

Answer: To prevent reflection attacks, in which a packet from the server to the client is returned to the server, and accepted as coming from the client.

31. Condensed review of material from the first mid-term: Read Chapter 11 (minus the Otway-Rees protocol, not covered) and answer questions 11.9.1, 11.9.2, 11.9.3, 11.9.5, 11.9.6, 11.9.8, 11.9.11, 11.9.13.

32. Chapter 16 condenses many topics discussed throughout the SSL and IPSec/IKE chapters. Reading it is a good way to review the most important aspects of these chapters. Do the easy homework part.

Similar works:

«ASSESSING NEW ZEALAND HIGH SCHOOL SCIENCE TEACHERS‟ TECHNOLOGICAL PEDAGOGICAL CONTENT KNOWLEDGE A thesis submitted in partial fulfilment of the requirements for the Degree of Doctor of Philosophy in Education in the University of Canterbury by Kofi Acheaw Owusu University of Canterbury TABLE OF CONTENTS TABLE OF CONTENTS LIST OF TABLES LIST OF FIGURES DEDICATION ACKNOWLEDGEMENTS Abstract CHAPTER 1 INTRODUCTION Background to the study Statement of the problem New Zealand school context...»

«ENSAIOS PEDAGÓGICOS Revista eletrônica do curso de Pedagogia das Faculdades OPET 1 ISSN 2175-1773 – Dezembro de 2012 EXISTÊNCIA NA DIMENSÃO DE PATHOS EM KIERKEGAARD: O CONCEITO DE PAIXÃO (PATHOS) Valdinei Caes1 RESUMO O objetivo deste artigo é analisar o conceito de paixão (pathos) na filosofia de Kierkegaard, seu significado e a recepção que o pensador dinamarquês fez desta palavra no interior da sua filosofia. Para esta análise, o conceito de Erlebnis torna-se particularmente...»

«DOCUMENT RESUME ED 358 482 CS 213 897 AUTHOR Corbett, Edward P. J. TITLE From Literary Critic to Rhetorician: A Professional Journey. PUB DATE Apr 93 NOTE 12p.; Paper presented at the Annual Meeting of the Conference on College Composition and Communication (43rd, Cincinnati, OH, March 19-21, 1992). PUB TYPE Viewpoints (Opinion/Position Pap.:rs, Essays, etc.) (120) Speeches/Conference Papers (150) EDRS PRICE MF01/PC01 Plus Postage. DESCRIPTORS *College English; College Faculty; Educational...»

«Student Performance Q&A: 2011 AP® Latin: Vergil Free-Response Questions The following comments on the 2011 free-response questions for AP® Latin: Vergil were written by the Chief Reader, Mary Pendergraft of Wake Forest University in Winston-Salem, N.C. They give an overview of each free-response question and of how students performed on the question, including typical student errors. General comments regarding the skills and content that students frequently have the most problems with are...»

«Jenny Smith University of Canterbury New Zealand Jenny Smith University of Canterbury College of Education 2 Gifted learners are those that show the potential for performance beyond that which is typical for their age in any field of endeavour. Talented learners are those whose performance puts them at the very top of their field of endeavour. Jenny Smith University of Canterbury College of Education 3 Jenny Smith University of Canterbury College of Education 4 Long time personal and...»

«October 2013 SUSAN M. BRONIARCZYK Marketing Department Phone: (512) 471-5423 McCombs School of Business Email: susan.broniarczyk@mccombs.utexas.edu University of Texas at Austin Website: https://blogs.utexas.edu/sbroniarczyk ACADEMIC POSITIONS University of Texas at Austin, McCombs School of Business, Marketing Department Sam Barshop Centennial Professor (2009 – present) Full Professor (2004 –2009) Associate Professor (1998-2004) Assistant Professor (1992-1998) Instructor (1991-1992)...»

«Accommodation policies in the Netherlands: Headscarves and Turbans for Police(wo)men ECPR Joint Sessions Grenoble 6-11 April 2001 Workshop ‘Identity Politics’ Dr. Odile Verhaar Faculty of Social and Cultural Sciences Free University of Amsterdam, De Boelelaan 1081c 1081 HV Amsterdam, The Netherlands E-mail: overhaar@zonnet.nl 1 ABSTRACT Claims of diversity and ‘state-neutrality’ in Dutch institutional contexts (working title) In the Netherlands the issue of cultural and religious...»

«Scoil Eoin Baiste Belgrove Senior Girls’ School Cailíní Sinsear Seafield Road Bóthar Ghort na Mara Clontarf Cluain Tarbh Dublin 3 Baile Átha Cliath 3 01 833 1888 01 833 1888 Roll No.: 17148D Uimhir Rolla: 17148D www.belgroveseniorgirls.ie • info@belgroveseniorgirls.ie BELGROVE SENIOR GIRLS’ SCHOOL CODE OF BEHAVIOUR The Code of Behaviour of Belgrove Senior Girls’ School was updated in September 2011 and again in 2015. Behaviour and the School Ethos In line with the characteristic...»

«Golden Research Thoughts Impact Factor : 2.2052(UIF) Volume-3 | Issue-11 | May-2014 ROLE OF GOVERNMENT SCHEMES IN ENSURING FOOD SECURITY IN INDIA Devindrappa. K, T. Gurubasappa.R Research scholar, Department of Studies and Research in Economics. Gulbarga University, Gulbarga, 585106, (Karnataka). Associate Professor and Head, PG Dept of Economics, Govt. College Gulbarga,(Karnataka) Abstract. Food is the basic necessity of life for survival and livelihood for a healthy and productive life....»

«Heritage School Student Handbook Honor the Past.Embrace the Present.Reach for the Future! 1 FOREWORD This handbook is intended to provide basic, quick reference information for the parents and students of Heritage School. Please place this handbook in a convenient location so it can be referred to throughout the school year. Please take a few minutes to go over it with your child. Included in this handbook is the Stockbridge Community Schools Technology Usage Policy and Acceptable Use Policy....»

«DISSERTATION Titel der Dissertation Modeling and Verification of Web Service Composition Based Interorganizational Workflows Verfasser Dipl.-Ing. Amirreza Tahamtan angestrebter akademischer Grad Doktor der Technischen Wissenschaften (Dr. techn.) Wien, im Januar 2009 Studienkennzahl lt. Studienblatt: A 786 881 Dissertationsgebiet lt. Studienblatt: Informatik Betreuer: O.Univ.-Prof. Dipl.-Ing. Dr. Johann Eder Acknowledgements I am deeply grateful to my supervisor and teacher Prof. Johann Eder...»

«Sheeba, M.N. / Educationia Confab ISSN: 2320-009X An Anatomy of Science Process Skills In The Light Of The Challenges to Realize Science Instruction Leading To Global Excellence in Education M. N. Sheeba Research Scholar (Ph.D in Education), University of Kerala, Thiruvananthapuram, India Abstract Science process skills are the building blocks of critical thinking and inquiry in science that can be gained through precise science educational activities. In this world of knowledge explosion, it...»

<<  HOME   |    CONTACTS
2016 www.dissertation.xlibx.info - Dissertations, online materials

Materials of this site are available for review, all rights belong to their respective owners.
If you do not agree with the fact that your material is placed on this site, please, email us, we will within 1-2 business days delete him.