COIT12202 Network Security Concepts, Assignment 2, Term 2 2013

COT12202 Network Security Concepts

Assessment Item 1 Assignment 2
Due date: Weighting: Length: Thursday (5:00pm AEST), Week 10 25% N/A
ASSESSMENT

Note: Please answer all questions.

Assignment Submission
Submit your assignment electronically as a Microsoft Word file by the due date. Please do not zip the file.

Question 1:

[8 marks]

Using a web browser go to http://md5deep.sourceforge.net download and install md5deep as described in Project 11-2, Page 440 - Ciampas textbook. For this, you may find useful the Getting Started with md5deep document localised at http://md5deep.sourceforge.net/startmd5deep.html Download the Zip file for question 1 from the course Moodle site. In this file, you will find a number of unrelated files and a text file labelled as known-hashes.txt containing five md5deep hashes as follows: 4b3feae200f1eda0bcb81d4ef3924f45 6651d7f75e6234795448c3c0ca45e7c7 9e2b501cada079550d638b845e6dcfd6 593cfa914d868421482719a546bb487b c9ab59aa490a26ff83838f6ac0b670ae a) Your task is to match each of these five md5deep hashes with its respective file in the zip file. In doing so, fill in the following table with the names of the files:

Page 1 of 7

COIT12202 Network Security Concepts, Assignment 2, Term 2 2013

md5deep Hash 4b3feae200f1eda0bcb81d4ef3924f45 6651d7f75e6234795448c3c0ca45e7c7 9e2b501cada079550d638b845e6dcfd6 593cfa914d868421482719a546bb487b c9ab59aa490a26ff83838f6ac0b670ae

Filename

To gain marks, you need to explain the process used to match the hashes with the files including the md5deep command line with the correct options (switches or flags) and screenshots as evidence. If you do not explain, then you do not get marks. Hint: You do not have to run the md5deep program for each of the files in the zip file. [1/2 mark for each correct filename identified] b) Instead of the md5deep program, use the whirlpooldeep program (included in the download of the md5deep) to generate the hashes of the five file files you found above. Filename whirlpooldeep hash

[1/2 mark for each hash generated] Contrast these whirlpool hashes with the md5deep hashes. In doing so, answer the following questions: Which are the differences / similarities? (100 words) [1.5 marks] Which one is more secure and why? Give some example applications where both md5deep and whirlpool hashes are used in (100 words) [1.5 marks]

Page 2 of 7

COIT12202 Network Security Concepts, Assignment 2, Term 2 2013

Question 2: Backup Strategy

(7 marks)

Consider the grandfather-father-son data backup system presented below: The system uses the following backup tapes: o Three (3) monthly tapes (labeled by their month name) these are used for grandfather backups - full backups tapes are stored offsite (grandfather backups occur on the last working day of the month regardless of what day it is Grandfather backups over-ride father or son backups) tapes are re-used every 3 months o Four (4) weekly tapes (labeled as Week1, Week 2, Week3, Week 4) these are used for father backups differential backups tapes are stored offsite - tapes are re-used on a monthly basis o Four (4) daily tapes (labeled as Mon, Tues, Wed, Thu) these are used for son backups - incremental backups tapes are re-used on a weekly basis Backups are performed at the end of each business day.

Page 3 of 7

COIT12202 Network Security Concepts, Assignment 2, Term 2 2013

The following calendar shows the data backup schedule for June of a year:
Sun Mon Tue Wed Thu Fri Sat

30 May

31 May
May Tape Grandfather

1 June
Tues Tape Son

2 June
Wed Tape Son

3 June
Thu Tape Son

4 June
Week 1 Tape Father

5 June

6 June

7 June
Mon Tape Son

8 June
Tues Tape Son

9 June
Wed Tape Son

10 June
Thu Tape Son

11 June
Week 2 Tape Father

12 June

13 June

14 June
Mon Tape Son

15 June
Tues Tape Son

16 June
Wed Tape Son

17 June
Thu Tape Son

18 June
Week 3 Tape Father

19 June

20 June

21 June
Mon Tape Son

22 June
Tues Tape Son

23 June
Wed Tape Son

24 June
Thu Tape Son

25 June
Week 4 Tape Father

26 June

27 June

28 June
Mon Tape Son

29 June
Tues Tape Son

30 June
June Tape Grandfather

1 July
Thu Tape Son

2 July
Week 1 Tape Father

3 July

Given this scenario, provide short answers for each to the following questions:
1.

Your companys server was broken into by an attacker and an unknown number of system files have been tampered with. The system logs indicated that the break-in occurred on the Thursday 3rd June during the middle of the day. Which backup tapes were required to restore the system to its most recent backup? [1 mark] In what order should they be restored? [1 mark] Explain the purpose of each step in your system restore process. [1.5 mark] In your answer, identify each tape by the tape label and date in the calendar above (for example: Week 2 Tape 11 June ).

Page 4 of 7

COIT12202 Network Security Concepts, Assignment 2, Term 2 2013

2.

As above, your companys server was broken into by the same attacker a second time. The system logs indicated that it occurred Wednesday 23rd June during the middle of the day. For this second break-in: Which backup tapes were required to restore the system to its most recent backup? [1 mark] In what order should they be restored? [1 mark] Explain the purpose of each step in your system restore process. [1.5 mark] In your answer, identify each tape by the tape label and date in the calendar above (for example: Week 2 Tape 11 June ).

Hint: Refer to your textbook (Ciampa 4th edition, pages 501-504) and research data backup systems using the Web (Full Backups/Differential Backups/Incremental Backups and Grandfather/Father/Son backups) e.g.: http://www.exabyte.com/support/online/documentation/whitepapers/basicbackup.pdf

Question 3: SNORT Rule

[10 marks]

Please refer to page 8 of the Snort Project (question 3) found in the Moodle Site - Week 8. In the project, you are asked to write a rule that generates an alert when any host attempts to transfer the file /tftpboot/secret from any other host using the TFTP protocol. In this assignment question, your task is to do the same thing but rather write a rule that generates an alert when any host attempts to transfer the file /tftpboot/secretary.doc from any other host using the TFTP protocol. Note that this attempt is captured in packet 154 of the PCAP file. Test your rule making sure that a single packet is detected.
An example of how to layout your solution follows: var HOME_NET 138.77.23.0/16 var EXTERNAL_NET !138.77.23.0/16 Your explanation of the above in italics drop udp $EXTERNAL_NET any -> $HOME_NET 993 Your explanation of the above, and so on An example explanation for a SNORT rule option:

Page 5 of 7

COIT12202 Network Security Concepts, Assignment 2, Term 2 2013

content: USER root; nocase; The content of the packet must contain the string USER root to be matched. Furthermore, the nocase option specifies that the string USER root should be matched case insensitively. In other words, it will match that string whether in upper, lower or mixed capitalisation.

Marking criteria: 5 marks for explaining/commenting, and 5 marks for rule correctness as explained below:

Commenting criteria: 2.5 marks A very good, in depth explanation of the SNORT Rule. Shows good understanding of the material 2 marks Has a few misunderstandings or explanations 1 1.5 marks Passable explanations, a few mistakes, some major and not very descriptive 0.5 marks Major problems. Does not demonstrate a good understanding of the material or solution is very vague 0 marks Essentially nothing correct or solutions have been copied verbatim from other sources SNORT rule correctness criteria: 2.5 marks A correct, concise SNORT rule that identifies malicious packets, without false positives or false negatives, and adheres to the assignment specification fully 1.5 2 marks A few mistakes but still essentially correct and does not contain syntax errors 0 - 1 marks Does not meet the specifications, has false positives/false negatives, or syntax errors

Please note

Page 6 of 7

COIT12202 Network Security Concepts, Assignment 2, Term 2 2013

Your answers need to be thoroughly documented using in-text reference (Harvard or APA style). Please remember that your assignment will be sent to Turnitin for academic integrity, consequently it is your responsibility to answer your questions on your own words. Plagiarism will be referred to CQU authorities for investigation and possible academic penalty.

Page 7 of 7