ITNE2002

Network and Information Security Post Lecture

Activity for Lesson 5

Topic: Network Access Control, OS and Cloud Security

Activity 5.1:

Review questions

Q.5.1. Provide a brief definition of network access control.

Ans: Network access control is an umbrella term for managing access to a

network. The three components of NAC are the Access requester, the policy
server, and the network access server.

Q.5.2. What is an EAP?

Ans: EPA is the path for the exchange of authentication information between a
client system and an authentication server.

Q.5.3. List and briefly define four EAP authentication methods.

Ans:The four Authentication methods are given below:

1. EPA-TLS. This method defines how the TLS protocol can be encapsulated
in EAP messages.
 2. EAP-TTLS. Same as EAP-TLS, except only the server has a certificate to
authenticate itself to client first.
3. EAP-GPSK. A method that uses a Pre-Shared Key.
4. ESP-1KEv2. This method is based on the Internet key exchange protocol.

Q.5.4. What is EAPOL?

Ans: 'EAP Over LAN' operates at the network layers and makes use of an IEEE
802 LAN, such as Ethernet or Wi-FI, at the link level. It enables a supplicant to
communicate with an authenticator and supports exchange of EAP packets for
authentication.

Q.5.5. What is the function of IEEE 802.1X?

Ans: the function of IEEE 802.1X is that this is the link layer protocol that
enforces authorization before a port is assigned an IP address. It makes use of
the Extensible Authentication Protocol for the authentication process.

Q.5.6. Define cloud computing.

Ans: A model of enabling ubiquitous, convenient, on-demand network access

to a shared pool of configurable computing resources that can be rapidly
provisioned and released with minimal management effort or service provider
interactions. This cloud model promotes availability and is composed of five
essential characteristics, three service models, and four deployment models.

Q.5.7. List and briefly define three cloud service models.

Ans: The three cloud service models are listed and described below:

1. Software as a Service (SaaS). Is a software distribution model in which

applications are hosted by a vendor or service provider and made
available to customers over a network, typically the Internet.
 2. Platform as a Service (PaaS). Is a paradigm for delivering operating
systems and associated services over the Internet without downloads or
installation.
3. Infrastructure as a Service (IaaS). Involves outsourcing the equipment
used to support operations, including storage, hardware, servers and
networking components.

Q.5.8. What is the cloud computing reference architecture?

Ans: The NIST cloud computing reference architecture focuses on the

requirements of "what" cloud services provide, not a "how to" design solution
and implementation. The reference architecture is intended to facilitate the
understanding of the operational intricacies in cloud computing. It does not
represent the system architecture of a specific cloud computing system;
instead it is a tool for describing, discussing, and developing a system-specific
architecture using a common framework of reference.

Activity 5.2: Problems

P.5.1. In the last few years, cloud computing has grown from being a
promising business concept to one of the fastest growing segments of the IT
industry. But security concerns remain the barrier to cloud computing. Write
a short essay (200-300 words) to cover cloud computing security challenges
and solutions.

Ans:

Cloud computing security challenges:

Cloud computing security faces different challenges which are briefly describe
in this essay. DATA LEAKS is also referred to as data breach is the release of
confidential and private data to an untrusted environment. POOR
AUTHENTICATION is also one of the challenges of the cloud security. There are
numerous attacks that result from broken authentication standards. LOSS OF
DATA As the cloud got matured over the years; example of cloud providers
losing data has become extremely rare. But the attacks to permanently delete
cloud data and harm businesses are still prevalent, thus making cloud data
centres vulnerable to natural disasters as any other facility. PACKET SNIFFING
is one of the various network attacks that allows an attacker to access your
files and other information MALWARE INJECTION refers to a type of attack,
where a piece of code is injected into the cloud, and this embedded code tricks
the cloud and starts to act as Software as a Service. If this event takes place
successfully, the cloud system automatically redirects even the legit user
requests to the injected malware.  Once after it gains proper access to the
cloud, it starts to steal data and misuse it. PORT SCANNING is a malicious
technique that identifies open, closed, and filtered ports on a system in cloud
environment. In this, intruders seize sensitive data with the help of any open
ports available. These ports include services that are running on a system, IP
and MAC addresses, gateway, and fire-wall rules. Hijacking of accounts, poor
diligence, AIP insecurity, cloud abuses are also the challenges face by cloud
computing security.

Cloud computing security solutions:

To satisfy on security requirements and address the security issues as analysed

above, we can summarize some of the best practices in mitigating the cloud.
Some of the cloud computing security solutions are BREACH RESPONSE is the
best practices for avoiding data breaches in cloud because it helps to trigger a
quick notification to data beaches and thus reduce the amount of harm.
SPECIALIZED ON PREMISE EQUIPMENT STRATEGIES is one of the best
protection mechanisms against DDoS attack. BUILD A LAYERED DEFENCE
MECHANISM Always ensure to place restrictions on the ip addresses that can
access the application. This way threats like account hijacking can be reduced.
DUE DELIGENCE AND PRIVATE SOLUTION which means that Organizations
should possess a clear set of goals in mind and get a thorough understanding
of all benefits and risks involved with Cloud Computing, before directly
jumping to it. SAVE THE DATA we can use the techniques like strong API
security for the prevention of sensitive data. SECURE NETWORKING is very
important for the prevention of damaged caused by various attacks like SQL
injection, malware injections, Man in the cloud attacks, XSS attack
ITNE2002

Network and Information Security

Post Lecture Activity 6 on Lesson 6

Topic: Wireless Network Security

Activity 6.1:

Review questions

Q.6.1. What is the basic building block of an 802.11 WLAN?

Ans: The basic building block of an 802.11 WLAN is the Basic Service Set which
consists of wireless stations executing the same MAC protocol and completing
for access to the same shared wireless medium.

Q.6.2. Define an extended service set.

Ans: Extended service set is defined as two or more basic service sets
interconnected by a distribution system.

Q.6.3. List and briefly define IEEE 802.11 services.

Ans: The list of IEEE 802.11 services are given below:

1. Association: Establishes an initial association between a station and an

AP.

2. Authentication: Used to establish the identity of stations to each other.

3. Deauthentication: This service is invoked whenever an existing

authentication is to be terminated.
 4. Disassociation: A notification from either a station or an AP that an
existing association is terminated. A station should give this notification
before leaving an ESS or shutting down.

5. Distribution: used by stations to exchange MAC frames when the frame

must traverse the DS to get from a station in one BSS to a station in
another BSS.

6. Integration: enables transfer of data between a station on an IEEE

802.11 LAN and a station on an integrated IEEE 802.x LAN.

7. MSDU delivery: delivery of MAC service data units.

8. Privacy: Used to prevent the contents of messages from being read by

other than the intended recipient.

9. Reassocation: Enables an established association to be transferred from

one AP to another, allowing a mobile station to move from one BSS to
another.

Q.6.4. Is a distribution system a wireless network?

Ans: A Distribution System may or may not be. A Distribution system can be a
switch, a wired network or a wireless network.

Q.6.5. How is the concept of an association related to that of mobility?

Ans: Association is to agree on a set of security capabilities to be used. It allows

a mobile node that has made a transition to identify itself to the access point
(AP) within a basic service set (BSS) so that the node can participate in data
exchanges with other mobile nodes.

Q.6.6. What security areas are addressed by IEEE 802.11i?

Ans: IEEE 802.11i addresses four main security areas which are authentication,
key management, data confidentiality and data integrity.

Activity 6.2:

Problems P.6.1.
 In IEEE 802.11, open system authentication simply consists of two
communications. An authentication is requested by the client, which
contains the station ID (typically the MAC address). This is followed by an
authentication response from the AP/router containing a success or failure
message. An example of when a failure may occur is if the client’s MAC
address is explicitly excluded in the AP/router configuration.

a) What are the benefits of this authentication scheme?

Ans: This Scheme is extremely simple and easy to implement. It does

protect against very simple attacks using an off-the-shelf WiFi LAN card,
and against accidental connection to the wrong network.

b) What are the security vulnerabilities of this authentication scheme?

Ans: This Scheme depends on all parties having honestly. The scheme
does not protect against MAC address forgery.

ITNE2002

Network and Information Security

Post Lecture Activity 7 on Lesson 7

Topic: Electronic Mail Security

Activity 7.1:

Review questions

Q.7.1. what are the five principal services provided by PGP?

Ans: Authentication, confidentiality, compression, email compatibity and

segmentation are the five principal services provided by PGP.

Q.7.2. What is the advantages of a detached signature?

Ans: A detached signature may be stored and transmitted separately from the
message it signs. This is useful because User may wish to maintain a separate
signature log of all messages sent or received. Detached signature of an
executable program can detect subsequent virus infection, and detached
signatures can be used when more than one party must sign a document, such
as a legal contract.

Q.7.3. Why does PGP generate a signature before applying compression?

Ans: This happens for two reasons. First, it is preferable to sign an

uncompressed message so that one can store only the uncompressed message
together with the signature for future verification. If one signed a compressed
document, then it would be necessary either to 1) store a compressed version
of the message for later verification or to 2) recompress the message when
verification is required.

Secondly, even if one were willing to generate dynamically a recompressed

message for verification, PGP's compression algorithm presents a difficulty
because the algorithm is not deterministic. Applying the hash function and
signature AFTER the compression would constrain all PGP implementation to
the same version of the compressed algorithm.
Q.7.4. What is R64 conversion?

Ans: Radix 64 conversion is a scheme that PGP uses to convert the raw 8-bit
binary scheme to a stream of printable ASCII characters. This expands a
message by 33%, but the session key and signature portions of the message
are relatively compact, and the plaintext message has been compressed.

It also blindly converts the input stream to radix-64 format regardless of the
content, even if the input happens to be ASCII text.

Q.7.5. Why is R64 conversion useful for an e-mail application?

Ans: Most email mail systems only permit the use of blocks consisting of ASCII
text, so PGP must provide a service (Radix-64, or R64) of converting the raw 8-
bit binary stream to a stream of printable ASCII characters. The reason R64
conversion is useful for an email application is because it blindly converts the
input stream to radix-64 format regardless of the content, even if the input
happens to be ASCII text. In other words, if the message is signed (but not
encrypted) and the conversion is applied to the entire block, the output will
still be unreadable to the casual observer. This provides a certain degree of
confidentiality.

Q.7.6. How does PGP use the concept of trust?

Ans: PGP associates "trust" with public keys and then exploits this trust
information. In other words, each entry in the public key ring has a public key
certificate. Each entry has a legitimate key field that indicates the extent to
which PGP will trust that the fact that this is a valid public key for this user. If
the level of trust if high, the bind to the user ID of the key will be strong.

Q.7.7. What is MIME and S/MIME?

Ans: MIME stands for Multipurpose Internet Mail Extension, and it is an

extension to the RFC 5322 framework in order to address some of the
problems and limitations of the use of Simple Mail Transfer Protocol (SMTP)
and some other mail transfer protocols. While it intends to solve these
problems, it does also try to be compatible with existing RFC 5322
implementations.

Whereas,

S/MIME stands for Secure MIME. It adds digital signatures (DSS) and
encryptions to internet MIME messages. It is also the standard for public key
encryption (incorporates three public-key algorithms) and signing of MIME
data. It provides the following functions: 1. Enveloped data, 2. Signed data, 3.
Clear-signed data, and 4. Signed and enveloped data.

Q.7.8. What is DKIM?

Ans: DKIM stands for Domain Keys Identified Mail. This is a specification for
cryptographically signing email messages, permitting a signing domain to claim
responsibility for a message in the mail stream. The message recipients can
verify the signature by querying the signer's domain directly to retrieve the
appropriate public key and thereby can confirm that the message was attested
to by a party in the possession of the private key for the signing domain. This is
the internet standard and has been adopted by a wide-range of e-mail
providers, including corporations, government agencies, gmail, yahoo, and
Internet Service Providers (ISPs).

Activity 7.2: Problems

P.7.1. Phil Zimmermann chose IDEA, three-key triple DES, and CAST-128 as
symmetric encryption algorithms for PGP. Give reasons why AES and DES
symmetric encryption algorithms are suitable or unsuitable for PGP

a. DES,

Ans: DES is unsuitable because of its short key size.

b. Two-key triple DES,

Ans: Two-key triple DES, which has a key length of 112 bits, is suitable.
c. AES

Ans: AES is also suitable.

P.7.2. Encode the text “Test” using Radix-64 technique. Assume characters
are stored in 8-bit ASCII with zero parity.

Ans: It certainly provides more security than a monoalphabetic substitution

because we are treating the plaintext as a string of bits and encrypting 6
bits at a time, we are not encrypting individual characters.