CS 651 SpTp Network Security

Spring 2016

Marshall University
March 13, 2016

MID-TERM EXAM (200 pts)

To Be Completed by Deadline: By 11:59 PM Sunday 3/20/2016
This mid-term covers the material from chapters 1-5, 26, 21, 59-60, 11, 14, 13,
and 15. Your performance on this mid-term exam should demonstrate your
understanding of key areas of this material.
IMPORTANT EXAM INSTRUCTIONS:

This is a take-home exam. You will be allowed to reference your course

textbook, lecture slides and your personal notes to complete this exam;

Mid-term exams are meant to measure individual performance. Do NOT

to collaborate on this exam with fellow students or ask anyone else for
assistance in answering the questions. Do not share answers from your
exam with others. Doing so will be considered a violation of the
University Academic Dishonesty policy.

1. (Ch. 1) Organizational Security (15 points) - In your own words, briefly

summarize why it is important to have a secure organization; additionally, list
three (3) steps (hint the textbook lists 10) to building a secure organization;
for each of the 3 steps you list, summarize why the step is important and how
it can make the organization more secure.

Each association instantly contributes vigorously on having the most ideal security
for its information. Giving physical security is one of the perspectives an
association keeps up yet in the realm of developing digital violations, associations
are contributing vigorously on having a safe system inside of its premises. One of
the significant dangers to any IT organization is of interruption to its touchy
information. Delicate information can be of any sort as for the kind of association.
Any association with a feeble system is inclined to be assaulted by digital
offenders.
Example of iCloud hacking: personal information of consumers was misused.
Some of the measures to be taken avoid such attacks are:
a) Monitor systems:
All security products are manmade and can fail or be compromised. As with any
other aspect of technology, one should never rely on simply one product or tool.
Enabling logging on your systems is one way to put your organization in a position
to identify problem areas. The problem is, what should be logged? There are some
security standards that can help with this determination. One of these standards is
Page | 1

the Payment Card Industry Data Security Standard (PCI DSS).39 Requirement 10
of the PCI DSS states that organizations must track and monitor access to network
resources and cardholder data. If you simply substitute confidential information
for the phrase cardholder data, this requirement is an excellent approach to a log
management program.
b) Identify and utilize built in security features of the operating system and
applications:
Many organizations and systems administrators state that they cannot create a
secure organization because they have limited resources and simply do not have
the funds to purchase robust security tools. This is a ridiculous approach to security
because all operating systems and many applications include security mechanisms
that require no organizational resources other than time to identify and configure
these tools.
One of the biggest concerns in an organization today is data leaks, which are ways
that confidential information can leave an organization despite robust perimeter
security. USB Flash drives are one cause of data leaks; another is the recovery of
data found in the unallocated clusters of a computers hard drive. Unallocated
clusters, or free space, as it is commonly called, is the area of a hard drive where
the operating system and applications dump their artifacts or residual data.
Although this data is not viewable through the graphical user interface, the data
can easily be identified (and sometimes recovered) using a hex editor such as
WinHex36 or one of the several commercially available computer forensics
programs.
c) Do not forget the basics:
Many organizations spend a great deal of time and money addressing perimeter
defenses and overlook some fundamental security mechanisms, as described here
Change Default Account Passwords
Use Robust passwords
Close unnecessary ports

2. (Ch. 2) Cryptography (15 points) In your own words, describe what is

cryptography and why is encryption such an important part of computer
Page | 2

security? Additionally, since encryption is based on cipher algorithms, list one

(1) example each of an early and a modern cipher algorithm; then briefly
explain how the modern algorithm is superior at protecting sensitive
information.

The process or skill of communicating in or deciphering secret writings or ciphers.

The Enigma machine was a field unit utilized as a part of World War II by German
field operators to encode and decrypt messages and interchanges. Similar to the
Feistel, capacity of the 1970s, the Enigma machine was one of the initially
motorized techniques for encoding content utilizing an iterative figure. It utilized a
progression of rotors that, with some power, a light, and a reflector, permitted the
administrator to either scramble or decode a message. The first position of the
rotors, set with every encryption and in light of a prearranged design that thusly
depended on the date-book, permitted the machine to be utilized, regardless of the
possibility that it was traded off.
At the point when the Enigma was being used, with each resulting key press, the
rotors would change in arrangement from their set positions in a manner that an
alternate letter was created every time. The administrator, with a message in hand,
would enter every character into the machine by squeezing a like key. The rotors
would adjust, furthermore, a letter would then light up, telling the administrator
what the letter truly was. Moreover, while enciphering, the administrator would
press the key and the lit up letter would be the figure content. The ceaselessly
changing interior stream of power that created the rotors to change was not
irregular, but rather it created a polyalphabetic figure that could be diverse every
time it was used.
Advanced Encryption Standard(AES):
-It supports 128-bit block sizes.
_ The key schedule is based on the S-box.
_ It expands the key, not the plaintext.
_ It is not based on a Feistel cipher.
_ It is extremely complex
The AES algorithms are to symmetric ciphers what a bowl of spaghetti is to the
shortest distance between two points. Through a series of networked XOR
operations, key substitutions, temporary variable transformations, increments,
iterations, expansions, value swapping, S-boxing, and the like, a very strong

Page | 3

encryption is created that, with modern computing, creates a cipher that itself is
impossible to break.
Advantages of modern cipher in protecting sensitive information are given below:
Data Integrity: The cryptographic hash capacities are assuming essential part in
guaranteeing the clients about the information honesty
Confidentiality: Encryption strategy can monitor the data and correspondence from
unapproved disclosure and access of data.
Non-repudiation: The advanced mark gives the non-disavowal administration to
make preparations for the question that might emerge because of foreswearing of
passing message by the sender.
Authentication: The cryptographic procedures, for example, MAC and
computerized marks can ensure data against satirizing and phonies

3. (Ch. 3) Intrusion Detection (15 points) - In your own words, briefly summarize
what is a system intrusion; additionally, list three (3) examples of system
intrusions, and for each example how the intrusion can be identified by a
system technician.

Computer hackers are able access the information stored on computers, if these
aren't properly protected. Hackers often do this using automated intruder programs.
These programs usually look for 'Trojans' installed on people's computers.
Examples of System intrusions:
Denial-of-Service Attack
The denial-of-service attack prevents normal use of your computer or network by
valid users.
After gaining access to your network, the attacker can do any of the following:
-Randomize the attention of your internal Information Systems staff so that they do
not see the intrusion immediately, which allows the attacker to make more attacks
during the diversion.
-Send invalid data to applications or network services, which causes abnormal
termination or behavior of the applications or services.
-Flood a computer or the entire network with traffic until a shutdown occurs
because of the overload.
-Block traffic, which results in a loss of access to network resources by authorized
users.
Page | 4

Man-in-the-Middle Attack
As the name indicates, a man-in-the-middle attack occurs when someone between
you and the person with whom you are communicating is actively monitoring,
capturing, and controlling your communication transparently. For example, the
attacker can re-route a data exchange. When computers are communicating at low
levels of the network layer, the computers might not be able to determine with
whom they are exchanging data.
Man-in-the-middle attacks are like someone assuming your identity in order to
read your message. The person on the other end might believe it is you because the
attacker might be actively replying as you to keep the exchange going and gain
more information. This attack is capable of the same damage as an applicationlayer attack, described later in this section.
Sniffer Attack
A sniffer is an application or device that can read, monitor, and capture network
data exchanges and read network packets. If the packets are not encrypted, a sniffer
provides a full view of the data inside the packet. Even encapsulated (tunneled)
packets can be broken open and read unless they are encrypted and the attacker
does not have access to the key.
Using a sniffer, an attacker can do any of the following:
Analyze your network and gain information to eventually cause your network to
crash or to become corrupted.

4. (Ch. 4) Intrusion Prevention (15 points) In your own words, briefly

summarize the difference between intrusion detection and intrusion

Page | 5

prevention; additionally, list three (3) methods or technologies which can

identify AND prevent an intrusion on your system.

Intrusion Detection System - A device or application that analyzes whole packets,

both header and payload, looking for known events. When a known event is
detected a log message is generated detailing the event.
Intrusion Prevention System - A device or application that analyzes whole packets,
both header and payload, looking for known events. When a known event is
detected the packet is rejected.
The functional difference between an IDS and an IPS is a fairly subtle one and is
often nothing more than a configuration setting change. For example, in a Juniper
IDP module, changing from Detection to Prevention is as easy as changing a dropdown selection from LOG to LOG/DROP. At a technical level it can sometimes
require redesign of your monitoring architecture.
IPS - Intrusion Prevention System - inspects traffic flowing through a network and
is capable of blocking or otherwise remediating flows that it determines are
malicious. Usually uses a combination of traffic and file signatures and heuristic
analysis of flows.
IDS - Intrusion Detection System - similar to IPS but does not affect flows in any
way - only logs or alerts on malicious traffic.
IPS-Intrusion Prevention System that receives traffic in such a way that can
prevent it from reaching the different targets on your network.
IDS-Security Network Appliance in charge of monitor the network and determine
whether or not an attack is in place.
Methods to prevent intrusion in our systems:
Use firewalls-a system that effectively incorporates several security features in
one. Secure Firewall (formerly Sidewinder) from Secure Computing is one of the
strongest and most secure firewall products available, and as of this writing it has
never been successfully hacked. It is trusted and used by government and defense
agencies. Secure Firewall combines the five most necessary security systems
firewall, antivirus/spyware/spam, VPN, application filtering, and intrusion
prevention/detection systemsinto a single appliance.

Page | 6

Access control systems-Access control systems (ACSs) rely on administrator

defined rules that allow or restrict user access to protected network resources.
These access rules can require strong user authentication such as tokens or
biometric devices to prove the identity of users requesting access. They can also
restrict access to various network services based on time of day or group need.
Unified threat management-UTM systems are multilayered and incorporate
several security technologies into a single platform, often in the form of a plug-in
appliance. UTM products can provide such diverse capabilities as antivirus, VPN,
firewall services, and antispam as well as intrusion prevention.
The biggest advantages of a UTM system are its ease of operation and
configuration and the fact that its security features can be quickly updated to meet
rapidly evolving threats.

5. (Ch. 5) Network Intrusions (15 points) In your own words, briefly describe
what is a network intrusion; additionally, list three (3) examples of network
intrusion attacks, and list three (3) techniques or strategies to defend against
these attacks.
Page | 7

A network intrusion is any unauthorized activity on a computer network. In most

cases, such unwanted activity absorbs network resources intended for other uses,
and nearly always threatens the security of the network and/or its data. Properly
designing and deploying a network intrusion detection system will help block the
intruders.
As a first step of defense, here's a brief rundown of popular attack vectors.
Asymmetric Routing: In this method, the attacker attempts to utilize more than
one route to the targeted network device. The idea is to have the overall attack
evade detection by having a significant portion of the offending packets bypass
certain network segments and their network intrusion sensors. Networks that are
not set up for asymmetric routing are impervious to this attack methodology.
Traffic Flooding: An ingenious method of network intrusion simply targets
network intrusion detection systems by creating traffic loads too heavy for the
system to adequately screen. In the resulting congested and chaotic network
environment, attackers can sometimes execute an undetected attack and even
trigger an undetected "fail-open" condition.
Trojans: These programs present themselves as benign and do not replicate like a
virus or a worm. Instead, they instigate DOS attacks, erase stored data, or open
channels to permit system control by outside attackers. Trojans can be introduced
into a network from unsuspected online archives and file repositories, most
particularly including peer-to-peer file exchanges.

6. (Ch. 26) Intrusion Prevention & Detection Systems (15 points) In your own
words, briefly describe the difference between host-based and network-based
intrusion detection systems; additionally, list two (2) advantages and two (2)
disadvantages of host-vs-network-based solutions.

Page | 8

Host-based intrusion detection system (IDSes) protect just that: the host or
endpoint. This includes workstations, servers, mobile devices and the like. Hostbased IDSes are one of the last layers of defense. They're also one of the best
security controls because they can be fine-tuned to the specific workstation,
application, user role or workflows required.
A network-based IDS often sits on the ingress or egress point(s) of the network to
monitor what's coming and going. Given that a network-based IDS sits further out
on the network, it may not provide enough granular protection to keep everything
in check -- especially for network traffic that's protected by SSL, TLS or SSH.
Advantages of NIDS:
Easy deployment: Deploying such a system is easier, as you will
not have to change your existing infrastructure or system. This is
because such systems are autonomous operating system.
Less cost: These systems can be installed for all the network
segments, so it eliminates the requirement of software at each
host in a network segment lowering down the cost of ownership.
Disadvantages of NIDS:
If you try to cut down False Positives rate, then this can affect NIDS reliability.
Tasks like analyzing and filtering has to be done manually

Advantages of Host-based IDS:

A) They are capable of identifying attacks that originate from
inside the host.
B) They are cost effective for a small scale network having a few
hosts
Disadvantages of Host-based NIDS:
The main disadvantages of this system are they can be
compromised as soon as the host server is compromised by an
attack. In addition, they eat up extra computing power from the
host where it resides. They can be ineffective during the denial of
service attacks.
7. (Ch. 21) Protecting Mission-Critical Systems (20 points) According to
Chapter 21, p. 389 there are four (4) key components that are crucial for the
Page | 9

success and continuity of any organization; list these four (4) components
and briefly summarize how each ensures the security of the organization.

There are some key components that are crucial for the success and continuity of
any organization. These are information assurance, information risk management,
defense in depth, and contingency planning.
Information Assurance: Information assurance is achieved when information and
information systems are protected against attacks through the application of
security services such as availability, integrity, authentication, confidentiality, and
nonrepudiation.
The application of these services should be based on the protect, detect, and react
paradigm. This means that in addition to incorporating protection mechanisms,
organizations need to expect attacks and include attack detection tools and
procedures that allow them to react to and recover from these unexpected attacks.
Information Risk Management: The likelihood of something going wrong and
damaging your organization or information assets. Due to the ramifications of such
risk, an organization should try to reduce the risk to an acceptable level. This
process is known as information risk management. Risk to an organization and its
information assets, similar to threats, comes in many different forms.
Defense in Depth: The principle of defense in depth is that layered security
mechanisms increase security of a system as a whole. If an attack causes one
security mechanism to fail, other mechanisms may still provide the necessary
security to protect the system. This is a process that involves people, technology,
and operations as key components to its success; however, those are only part of
the picture. These organizational layers are difficult to translate into specific
technological layers of defenses, and they leave out areas such as security
monitoring and metrics.
Contingency Planning: Contingency planning is necessary in several ways for an
organization to be sure it can withstand some sort of security breach or disaster.
Among the important steps required to make sure an organization is protected and
able to respond to a security breach or disaster are business impact analysis,
incident response planning, disaster recovery planning, and business continuity
planning. These contingency plans are interrelated in several ways and need to stay
that way so that a response team can change from one to the other seamlessly if
there is a need. Business processes and asserts follow a clear strategy to recover
from interruption in these reasons:
Page | 10

a. An Incident Response Plan

b. Business continuity planning
8.

(Ch. 59) System Security (10 points) In your own works describe what is
the purpose of a systems security plan; list three (3) important aspects of
system security and briefly explain how the implementation of each
improves the security of systems.

The purpose of the security plan is to provide an overview of the security

requirements of the system and describe the controls in place or planned for
meeting those requirements. The system security plan also delineates
responsibilities and expected behavior of all individuals who access the
system.
The three important aspects of system security are
a) Confidentiality: When we talk about confidentiality of information, we
are talking about protecting the information from disclosure to unauthorized
parties.
Information has value, especially in todays world. Bank account statements,
personal information, credit card numbers, trade secrets, government documents.
Every one has information they wish to keep a secret. Protecting such information
is a very major part of information security.
A very key component of protecting information confidentiality would be
encryption. Encryption ensures that only the right people (people who knows the
key) can read the information. Encryption is VERY widespread in todays
environment and can be found in almost every major protocol in use. A very
prominent example will be SSL/TLS, a security protocol for communications over
the internet that has been used in conjunction with a large number of internet
protocols to ensure security.
Other ways to ensure information confidentiality include enforcing file permissions
and access control list to restrict access to sensitive information.
b ) Integrity: Integrity of information refers to protecting information from
being modified by unauthorized parties.

Page | 11

Information only has value if it is correct. Information that has been tampered with
could prove costly. For example, if you were sending an online money transfer for
$100, but the information was tampered in such a way that you actually sent
$10,000, it could prove to be very costly for you.
As with data confidentiality, cryptography plays a very major role in ensuring data
integrity. Commonly used methods to protect data integrity includes hashing the
data you receive and comparing it with the hash of the original message. However,
this means that the hash of the original data must be provided to you in a secure
fashion. More convenient methods would be to use existing schemes such as GPG
to digitally sign the data.
c) Availability: Availability of information refers to ensuring that authorized
parties are able to access the information when needed.
Information only has value if the right people can access it at the right times.
Denying access to information has become a very common attack nowadays.
Almost every week you can find news about high profile websites being taken
down by DDoS attacks. The primary aim of DDoS attacks is to deny users of the
website access to the resources of the website. Such downtime can be very costly.
Other factors that could lead to lack of availability to important information may
include accidents such as power outages or natural disasters such as floods.
How does one ensure data availability? Backup is key. Regularly doing off-site
backups can limit the damage caused by damage to hard drives or natural disasters.
For information services that is highly critical, redundancy might be appropriate.
Having a off-site location ready to restore services in case anything happens to
your primary data centers will heavily reduce the downtime in case of anything
happens.

9. (Ch. 60) Securing the Infrastructure (15 points) Summarize the functions of
both the infrastructure switch and a router; compare and contrast how these
Page | 12

functions are different. Additionally, list three (3) types of attacks against the
infrastructure network and include their impact on security; finally list two (2)
countermeasures against these attacks.

A router is a more sophisticated device than a switch. Traditional routers are

designed to join multiple area networks (LANs and WANs). Routers serve as
intermediate destinations for network traffic. They receive TCP/IP packets,
look inside each packet to identify the source and target IP addresses, then
forward these packets as needed to ensure the data reaches its final destination.
In addition, routers often perform network address translation (NAT), which
allows all devices on a subnetwork (e.g., all devices in a home) to share the
same public IP address. Finally, routers that include built-in firewalls improve
the network's security.
A network switch is a small hardware device that joins multiple computers
together within one local area network (LAN). Switches are incapable of
joining multiple networks or sharing an Internet connection. A home network
with a switch must designate one computer as the gateway to the Internet, and
that device must possess two network adapters for sharing, one for the home
LAN and one for the Internet WAN. With a router, all home computers connect
to the router equally, and it performs the equivalent gateway functions.

Definition

Page | 13

Router
A router is a networking
device that connects a
local network to other
local networks. At the
Distribution Layer of the
network, routers direct
traffic and perform other
functions critical to
efficient network
operation

Switch
A network switch is a
computer networking
device that is used to
connect many devices
together on a computer
network. A switch is
considered more advanced
than a hub because a
switch will on send msg to
device that needs or
request it

Bandwidth sharing

Bandwidth sharing is
Dynamic (Enables either
static or dynamic
bandwidth sharing for
modular cable interfaces.
The default percent-value
is 0. The percent-value
range is 1-96.)
Uses IP addresses

There is no sharing port

can be 10, 100, 1000 and
10000 Mbps individual

Directs data in a network.

Passes data between home
computers, and between
computers and the modem.

Allow to connect multiple

device and port can be
manage, Vlan can create
security also can apply

Used for

Connecting two or more

networks

Device Type

Networking device

Table

Store IP address in
Routing table and
maintain address at its
own.

Connecting two or more

nodes in the same network
or different network
Active Device (With
Software) & Networking
device
Switches use content
accessible memory CAM
table which is typically
accessed by ASIC
(Application Specific
integrated chips).

Transmission Type

At Initial Level Broadcast

then Uni-cast & Multicast

Layer

Network Layer (Layer 3

devices)

Routing decision

Take faster routing

decisions

Address used for

transmission
Function

Page | 14

Uses MAC addresses

First broadcast; then

unicast & multicast as
needed.
Data Link Layer. Network
switches operate at Layer
2 of the OSI model.
Take more time for
complicated routing
decisions

Spoofing (Identity spoofing or IP Address Spoofing)

Any internet connected device necessarily sends IP datagrams into the network.
Such internet data packets carry the sender's IP address as well as application-layer
data. If the attacker obtains control over the software software running on a
network device, they can then easily modify the device's protocols to place an
arbitrary IP address into the data packet's source address field. This is known as IP
spoofing, which makes any payload appear to come from any source. With a
spoofed source IP address on a datagram, it is difficult to find the host that actually
sent the datagram.
The countermeasure for spoofing is ingress filtering. Routers usually perform this.
Routers that perform ingress filtering check the IP address of incoming datagrams
and determine whether the source addresses that are known to be reachable via that
interface. If the source addresses that are known to be reachable via that interface.
If the source address is not in the valid range, then such packets will be discarded.
Sniffing
Packet sniffing is the interception of data packets traversing a network. A sniffer
program works at the Ethernet layer in combination with network interface cards
(NIC) to capture all traffic traveling to and from internet host site. Further, if any of
the Ethernet NIC cards are in promiscuous mode, the sniffer program will pick up
all communication packets floating by anywhere near the internet host site. A
sniffer placed on any backbone device, inter-network link or network aggregation
point will therefore be able to monitor a whole lot of traffic. Most of packet
sniffers are passive and they listen all data link layer frames passing by the device's
network interface. There are dozens of freely available packet sniffer programs on
the internet. The more sophisticated ones allow more active intrusion.
The key to detecting packet sniffing is to detect network interfaces that are running
in promiscuous mode. Sniffing can be detected two ways:
Host-based : Software commands exist that can be run on individual host machines
to tell if the NIC is running in promiscuous mode.
Network-based : Solutions tend to check for the presence of running processes and
log files, which sniffer programs consume a lot of. However, sophisticated
Page | 15

intruders almost always hide their tracks by disguising the process and cleaning up
the log files.
The best countermeasure against sniffing is end-to-end or user-to-user encryption.
Mapping (Eavesdropping)
Before attacking a network, attackers would like to know the IP address of
machines on the network, the operating systems they use, and the services that they
offer. With this information, their attacks can be more focused and are less likely to
cause alarm. The process of gathering this information is known as mapping.
In general, the majority of network communications occur in an unsecured or
"clear text" format, which allows an attacker who has gained access to data paths
in your network to "listen in" or interpret the traffic. When an attacker is
eavesdropping on your communications, it is referred to as sniffing or snooping.
The ability of an eavesdropper to monitor the network is generally the biggest
security problem that administrators face in an enterprise.
Counter measures are strong encryption services that are based on cryptography
only. Otherwise your data can be read by others as it traverses the network.

10.(Ch. 11) Internet Security (20 points) The Internet decomposes

communications into five (5) layers of communications modules or layers. List
these layers an briefly summarize what each layer is responsible for.

The internet decomposes communications into five layers of communication

modules:
a) The PHY layer: Translates digital bits and analog signals
The PHY layer module is medium dependent, with a different design for each type
of medium: Ethernet, phone lines, Wi-Fi, cellular phone, OC-768, and the like are
Page | 16

based on different PHY layer designs. It is the job of the PHY layer to translate
between digital bits as represented on a computing device and the analog signals
crossing the specific physical medium used by the PHY. This translation is a
physics exercise.
To send a message, the PHY layer module encodes each bit of each message from
the sending device as a media-specific signal or wave form, representing the bit
value 1 or 0. Once encoded, the signal propagates along the medium from the
sender to the receiver. The PHY layer module at the receiver decodes the medium
specific signal back into a bit. There are often special symbols representing such
things as the frame start and frame end symbols, and training symbols to
synchronize the receiver with the transmitter. These special symbols provide
control only and are distinct from the symbols representing bits. Wave forms
different from the defined symbols are undefined and discarded by the receiver.
It is possible for the encoding step at the transmitting PHY layer module to fail, for
a signal to be lost or corrupted while it crosses the medium, and for the decoding
step to fail at the receiving PHY layer module. It is the responsibility of higher
layers to detect and recover from these potential failures.
b) The MAC layer: Determines when to send and receive frame
The MAC module is the application that uses and controls a particular PHY
layer module. A MAC layer is always designed in tandem with a specific PHY (or
vice versa), so a PHY_MAC pair together is often referred to as the data link layer.
MAC is an acronym for media access control. As its name suggests, the MAC
layer module determines when to send and receive frames, which are messages
encoded in a media-specific format. The job of the MAC is to pass frames over a
link between the MAC layer modules on different systems. It is further useful to
distinguish physical links and virtual links. A physical link is a direct point-to-point
channel between the MAC layers in two endpoint devices. A virtual link can be
thought of as a shared medium to which more than two devices can connect at the
same time. There are no physical endpoints per se; the medium acts as though it is
multiplexing links between each pair of attached devices. Some media such as
modern Ethernet are implemented as physical point-to-point links but act more like
virtual links in that more than a single destination is reachable via the link. This is
accomplished by MAC layer switching, which is also called bridging.
Timing requirements for coordination among communicating MAC layer modules
make it difficult to build worldwide networks based on MAC layer switching,
however. Mobile devices such as smart phones, laptops, and notepads also make
large-scale bridging difficult, since these devices can shift their attachment points
to the network, thus invalidating the data structures used by switches to effect
Page | 17

switching. Finally, some media such as Wi-Fi (IEEE 802.11) are shared or
broadcast media. In a shared medium all devices can access the channel, and the
MAC design must specify an access control policy that the MAC enforces; this
behavior is what gives the MAC layer its name. Ethernet was originally a shared
medium, but evolved into its present switched point-to point structure in order to
simplify medium access control.
c) The Network layer: Represents messages in a media-independent
manner. Forwards messages between various MAC layer modules
representing different links
The purpose of the network layer module is to represent messages in a mediaindependent manner and to forward them between various MAC layer modules
representing different links. The media-independent message format is called an
Internet Protocol, or IP, datagram. The network layer implements the IP layer and
is the lowest layer of the Internet architecture per se.
The network layer provides a vital forwarding function that works even for a
worldwide network like the Internet. It is impractical to form a link directly
between each communicating system on the planet. Indeed, the cabling costs alone
are prohibitive no one wants billions, or even dozens, of cables connecting their
computer to other computersand too many MAC1PHY interfaces can quickly
exhaust the power budget for a single computing system. Hence, each machine is
attached by a small number of links to other devices, and some of the machines
with multiple links comprise a switching fabric.
d)The Transport layer: Implemented by TCP and similar protocols
Creates and manages two-way channel instances between communication
endpoints
Supports arbitrary length message delivery
The transport layer is implemented by TCP and similar protocols. Not all transport
protocols provide the same level of service as TCP, but a description of TCP will
suffice to help us understand the issues addressed by the transport layer. The
transport layer provides a multitude of functions.
First, the transport layer creates and manages instances of two-way channels
between communication endpoints.
These channels are called connections. Each connection represents a virtual
endpoint between a pair of communication endpoints. A connection is named by a
pair of IP addresses and port numbers. Two devices can support simultaneous
connections using different port numbers for each connection. It is common to
differentiate applications on the same host through the use of port numbers.
Page | 18

A second function of the transport layer is to support delivery of messages of

arbitrary length. The 64 K byte limit of the underlying IP module is too small to
carry really large messages, and the transport layer module at the message
source chops messages into pieces called segments that are more easily digestible
by lower-layer communications modules. The segment size is negotiated between
the two transport endpoints during connection setup. The segment size is chosen by
discovering the smallest maximum frame size supported by any MAC1PHY link
on the path through the Internet used by the connection setup messages.
Once this is known, the transmitter typically partitions a large message into
segments no larger than this size, plus room for an IP header. The transport layer
module passes each segment to the network layer module, where it becomes the
payload for a single IP datagram. The destination network layer module extracts
the payload from the IP datagram and passes it to the transport layer module,
which interprets the information as a message segment. The destination transport
reassembles this into the original message once all the necessary segments arrive.

d) The Socket layer: Interface set representing logical communications

endpoint.
The top layer of the Internet, the sockets layer, does not per se appear in the
architecture at all. The sockets layer provides a set of interfaces, each of which
represents a logical communications endpoint. An application can use the sockets
layer to create, manage, and destroy connection instances using a socket as well as
send and receive messages over the connection. The sockets layer has been
designed to hide much of the complexity of the transport layer, thereby making
TCP easier to use. The sockets layer has been highly optimized over the years to
deliver as much performance as possible, but it does impose a performance
penalty. Applications with very demanding performance requirements tend to
utilize the transport layer directly instead of through the sockets layer module, but
this comes with a very high cost in terms of software maintenance.

11.(Ch. 14) Local Area Network Security (15 points) Network security threats
can be placed into one of two (2) different categories; list these categories
and provide one (1) example of each category of threat.

Network security threats can be in one of two categories:

Page | 19

(1) Disruptive type: Most LANs are designed as collapsed backbone networks
using a layer-2 or layer-3 switch. If a switch or a router were to fail due to
power failure, a segment or the entire network may cease to function until
the power is restored. In some case, the network failure may be due to a
virus attack on the secondary storage, thus leading to loss of data
Example: Fire, Flood, Earthquake
(2) Unauthorized access type: This access type can be internal (employee) or
external (intruder), a person who would attempt to break into resources such
as database, file, and email or web servers that they have no permission to
access. Banks, financial institutions, major corporations, and major retail
businesses employ data networks to process customer transactions and store
customer information and any other relevant data. Before the birth of the
Internet Age, interim-situational transactions were secured because the
networks were not accessible to intruders or the general public.
Example: spyware, Adware

12.(Ch. 13) Intranet Security (15 points) In your own words, briefly; describe
the security challenges created by employee-use of mobile technologies such
as tablets and smartphones additionally, list three (3) technical and/or
administrative controls to mitigate these challenges.

The Challenges created by an employee

A. Risk of size and portabilityBecause of their size are easy theft targets in the
wrong place at the wrong time. Loss of a few hundred dollars of hardware,
however, is nothing when an invaluable client-list is lost and falls into a
competitors hands.
B. Risk of access via multiple paradigmsMobile devices can access unsafe
sites using cellular networks and download malware into storage. The malware in
Page | 20

turn can bypass the company firewall to enter the company network to wreak
havoc.
C. Social media risksBy definition, mobile devices are designed in such a way
that they can easily access social media sites, which are the new target for malware
propagating exploits.
These issues can be approached and dealt with by using a solid set of technical as
well as administrative controls:
I. . Establish a customized corporate usage policy for mobile devicesThis
policy/procedure must be signed by new hires at orientation and by all
employees who ask for access to the corporate VPN using mobile devices
(even personal ones). This should ideally be in the form of a contract and
should be signed by the employee before a portion of the employees device
storage is partitioned for access and storage of corporate data. Normally,
there should be yearly training highlighting the dos and donts of using
mobile devices in accessing a corporate VPN. The first thing emphasized in
this training should be how to secure company data using passwords.
II.
Establish a policy for reporting theft or misplacement This policy
should identify at the very least how quickly one should report thefts of
mobile devices containing company data and how quickly remote wipe
should be implemented. The policy can optionally detail how the mobile
devices feature (app) enabling location of the misplaced stolen device will
proceed.
III. Establish a well-tested SSL VPN for remote accessReputed vendors
having experience with mobile device VPN clients should be chosen. The
quality, functionality, adaptability of usage (and proven reputation) of the
VPN clients should be key in determining the choice of the vendor. The
advantage of an SSL VPN compared to IPsec or L2TP for mobile usage is
well known. The SSL VPNs should be capable of supporting two-factor
authentication using hardware tokens. For example, Ciscos Cisco
AnyConnect Secure Mobility Client and Junipers,Junos Pulse App are
free app downloads available within the Apple iTunes App store. Other VPN
vendors will also have these apps available, and they can be tested to see
how smooth and functional the access process is.
IV. Establish inbound and outbound malware scanningInbound scanning
should occur for obvious reasons, but outbound scanning should also be
scanned in case the companys email servers become SPAM relays and get
blacklisted on sites such as Lashback or get blocked to external sites by
force.
Page | 21

V.
VI.

Establish WPA2 encryption for Wi-Fi traffic accessWPA2 for now is

the best encryption available compared to WEP encryption, which is dated
and not recommended.
Establish logging metrics and granular controls Keeping regular tabs
on information asset access by users and configuring alerting on unusual
activity (such as large-scale access or exceeded failed-logon thresholds) is a
good way to prevent data leakage

13.(Ch. 15) Wireless Security (15 points) List the two (2) main classifications of
wireless networks. Provide two (2) examples of each classification of these
networks. In your own words, describe the major architectural differences
between these two classifications. Finally, what is a common security service
(hint think chapter 2) and give an example of how this service is utilized by
clients of each wireless network classification to ensure authentication,
confidentiality, and integrity of their data transmissions

The main classification of wireless networks is

a)Cellular Networks
b) Wireless Ad Hoc Networks
Page | 22

a) Cellular Networks: A cellular network comprises a fixed infrastructure and

a number of mobile nodes. Mobile nodes connect to the fixed infrastructure
through wireless links. They may move around from within the range of one
base station to outside the range of the base station, and they can move into
the ranges of other base stations. The fixed infrastructure serves as the
backbone of a cellular network, providing high speed and stable connection
for the whole network, compared to the connectivity between a base station
and a mobile node.
Examples of cellular networks are GSM(Global System for Mobile
communication), CDMA(Code Division Multiple Access), GPRS(General
Packet radio Service), EDGE(Enhanced Data Rates for GSM Evolution),
UMTS(Universal Mobile Telecommunications System) and 802.11 Wireless
LAN.
b) Wireless Ad Hoc Networks: Wireless ad hoc networks are distributed
networks that do not require fixed infrastructures to work. Network nodes in
a wireless ad hoc network can be randomly deployed to form the wireless ad
hoc network. Network nodes will forward network packets for other network
nodes. Network nodes in a wireless ad hoc network directly communicate
with other nodes within their ranges. When these networks communicate
with network nodes outside of their ranges, network packets will be
forwarded by the nearby network nodes; and, other nodes that are on the
path from the source nodes to the destination nodes. Wireless ad hoc
networks are self-organizing. Without fixed infrastructures and central
administration, wireless ad hoc networks must be capable of establishing
cooperation between nodes on their own. Network nodes must also be able
to adapt to changes in the network, such as the network topology. Wireless
ad hoc networks have dynamic network topologies. Network nodes of a
wireless ad hoc network connect to other network nodes through wireless
links. The network nodes are mostly mobile. The topology of a wireless ad
hoc network can change from time to time, since network nodes move
around from within the range to the outside, and new network nodes may
join the network, just as existing network nodes may leave the network.
Examples of wireless AD Hoc Networks are MANETs(Mobile Ad Hoc
Networks), iMANETs(Internet-based mobile Ad Hoc Network) and
VANETs(Vehicular Ad Hoc Networks)
Page | 23

To reduce power consumption and reuse the limited radio spectrum resources, a
cellular network was formed. Cell size is one of the factors in channel reuse rate.
Basically channel reuse rate in smaller cell size is higher than the channel reuse
rate in bigger cell size. A cellular architecture would then present a challenge to the
frequent handover procedure to the smaller cell size would usually induce a higher
hand-off frequency. In addition to cellular network an adhoc network is another
network architecture for wireless networks. The adhoc network is non
infrastructure network in which nodes can access services from one another
regardless where they are. The main difference between a cellular environment and
adhoc network is that the adhoc method has no infrastructure allowing nodes to
communicate with one another at anytime and anywhere.
Extra Credit (5 points): Complete the following equation which quantitatively
measures the
impact of a security breach:

Risk = Value of Asset X Threat X Vulnerability

Page | 24