Professional Documents
Culture Documents
NWS Assignment
NWS Assignment
Intake UC2F1701IT(ISS)
Name Boo Ken Hwang (TP044677)
Loh Choon Way (TP041264)
Shahzad Hussain (TP040954)
Abdulaziz Aljawder (TP032807)
Table of Contents
Marking Table........................................................................................................................................3
Workload Matrix FOR 4 MEMBERS........................................................................................................4
Introduction...........................................................................................................................................5
Individual Part.......................................................................................................................................6
1.0 Web Defacement (Loh Choon Way TP041264)................................................................................6
1.1 What is web defacement.............................................................................................................6
1.2 How to protect from Web Defacement........................................................................................7
1.3 Tools for Protect from Web Defacement......................................................................................9
1.4 Method of Web Defacement.....................................................................................................13
1.5 Protect method from DDOS Attack............................................................................................14
2.0 Generic Routing Encapsulation (Boo Ken Hwang TP044677).........................................................16
2.1 What is Generic Routing Encapsulation (GRE)...........................................................................16
2.2 OSI Model of 7 Layer..................................................................................................................16
2.3 Advantage and Disadvantage of the GRE...................................................................................19
2.4 Difference of the GRE Tunnel.....................................................................................................20
2.5 Vulnerability Problem................................................................................................................22
2.6 Configuration of Generic Routing Encapsulation.......................................................................23
3.0 Android Security (Shahzad Hussain TP040954)..............................................................................26
3.1 Introduction of Android.............................................................................................................26
3.2 Android Architecture.................................................................................................................27
3.3 Android Architecture Layers......................................................................................................28
4.0 Voice over Internet Protocol H.323 (Abdulaziz Aljawder TP032807).............................................30
4.1 Introduction of Voice Internet Protocol.....................................................................................30
4.2 MAIN BODY of Internet Protocol Voice......................................................................................31
4.3 Steps of H.323 Call.....................................................................................................................32
4.4 VoIP Architecture.......................................................................................................................35
4.5 Multipoint Control Unit (MCU)..................................................................................................38
4.6 Conclusion of VoIP.....................................................................................................................41
Group Part...........................................................................................................................................42
Question 1.......................................................................................................................................42
Question 2.......................................................................................................................................44
Question 3.......................................................................................................................................47
Question 4.......................................................................................................................................49
Question 5.......................................................................................................................................51
Question 6.......................................................................................................................................53
Question 7.......................................................................................................................................54
Question 8.......................................................................................................................................56
Question 9.......................................................................................................................................58
Question 10.....................................................................................................................................60
Question 11.....................................................................................................................................63
Question 12.....................................................................................................................................65
Question 13.....................................................................................................................................66
Conclusion...........................................................................................................................................68
Reference.............................................................................................................................................69
Marking Table
Individual (100%)
4
3
2
1
4
3
2
1
(TP032807)
(TP032807)
Tasks Breakdown
Abdulaziz Aljawder
Abdulaziz Aljawder
Hussain
Loh Choon Shahzad
Analytical (20) Analytical (20)
Configurations (10) Explanation (10)
Individual (60%)
Aljawder
Grand Total (100) Grand Total (100)
Abdulaziz
(TP041264 (TP040954 (TP032807
Hwang ) )
(TP044677 )
)
Project Task 25% 25% 25% 25%
Project Plan
Chapter/Sections
Question 1 100% 0% 0% 0%
Question 3 0% 0% 0% 100%
Question 5
Question 6 0% 0% 100% 0%
Question 8
Question 9
Question 10
Question 11
Question 12
Question 13
Final Documentation
Introduction
The ISP completely manages the router, and Company A cannot control it.
The third interface on the firewall hosts several servers of the DMZ. These
servers include http / https, smtp and ftp applications. In addition, the
goal of the project is to protect the internal and DMZ hosts from external
threats.
Individual Part
Web defacement is the visual appearance of the site or webpage has changed by attack a
website. Hacker replace the hosted website to their own by break into their web server.
Mostly the method use for defacement is SQL Injections, by using this method can log on to
administrator accounts, and another method is obtaining username and password go through
FTP.
Defacement is consisting all the page, this page usually includes the defacer’s pseudonym or
“Hacking Codename”. Web defacer normally will make system administrator for failing to
the maintain server security. But sometimes the defacement is harmless, some of the defacer
will upload virus or delete files form the server. (Banffcyber.com, 2017)
Hackers will use SQL injection to attack SQL server by getting information existing data,
destroy information data, or changing information data of the database system. Most website
collect user information from input form, user information will directly put into SQL
statement within the web application. (Banffcyber.com, 2017)
The following is an example of hacker easily leads to and SQL injection attack.
By prevent the above injection, can use bound variables with prepared statement method.
But with the best method to preventing SQL injection is in the code to avoid using of
dynamic generated. In addition, where possible, validate input. For example:
Hacker tries run some unauthorized code on the web application by using a web form to pass
scripting code which is called Cross Site Scripting. By this method, hackers can change the
setting of the website, stealing session cookies of other users of the website, or attack the
website by forming a XSS. To prevent XSS attacks, the web form through by user from
injecting code should prevent it. (Banffcyber.com, 2017)
One of the best practices to prevent cross site scripting attacks is to Properly Encode Output
The most common XSS attack is stealing cookies. Hacker import malicious code and will
steal all the cookies from visitor of the website to hacker. By prevent the attack of stealing
cookies is to use HTTP-Only cookies. Those JavaScript through document will be deny by
the HTTP send through, thus preventing cookies theft via XSS. Another prevent method is
using Web Application Firewalls (WAF), this application can check malicious input values,
modification of read-only parameters, filter out malicious output and block suspect requests.
(Banffcyber.com, 2017)
Detection tools only tell the website is defaced but without any action to be taken. To be
secure, it should be set as offline when defaced and go forward for investigation and
forensics. The hacker might will hack in deeper to the company or organisation to access
server or database.
In addition, organisation can use Banff Cyber’s WebOrion Restorer, this application able to
create a secured replica of the website, the replica website won’t contain any vulnerabilities
to the defaced server. (Banffcyber.com, 2017)
1. Change Detection
Change detection is a free service tool, it will send daily, weekly or monthly notification
about the configured webpage any change on the text whether is added or remove. (Kumar et
al., 2017)
2. Status Cake
Status cake is another free service to configure the string on the page, it only alert when the
page has any unmatched. Status Cake can configure under single monitoring. (Kumar et al.,
2017)
How frequently (30/60 seconds, 15/30/60 minutes and daily) to your webpage should
be checked
How soon (0-60 minutes) alert to be triggered after the first downtime detected
Blacklist Monitoring
Select what all HTTP Status Code to be alerted
Crawl Timeout
Configure maintenance window so don’t get alert during known downtime
3. IPVTec
IPVTec is an online service tool, it will alert when the website defaced and send notified
through by email, SMS. (Kumar et al., 2017)
4. SUCURI
SUCURI is a software that offer service with Malware Scanning and Security monitoring, it
provides security and monitoring services for multi-language such as WordPress, phpBB and
others. (Kumar et al., 2017)
5. Site 24x7
This application server provide end to end monitoring services and defacement detection. The
best thing of this service is they can configure many combinations to secure the website from
defaced. (Kumar et al., 2017)
6. Visualping
This application enables to select part of the website area to monitor and detected. But is
more focus using on some major part by getting alert. (Kumar et al., 2017)
7. OnWebChange
OnWebChange can select multiple area webpage to detect, this software can monitor files
like PDF, video, images, and others. This software can notify by email, pushover, teamstinct,
or HTTP callback. (Kumar et al., 2017)
1.4 Method of Web Defacement
1. SQL Injection
SQL injection is a type of security exploit or loophole in SQL code, hackers go through from
the web form or manipulates the URLs on SQL parameters. Normally hackers will insert the
code into user input form that relate to SQL commands and execute. Another direct attack is
insert malicious code into string place for storage in a table. Malicious code only executed
when stored string concatenated into dynamic SQL command. (Learn Ethical Hacking and
Penetration Testing Online, 2016)
Cross site scripting (XSS) works when user input malicious code into a website, it will force
it do something on the application. XSS attack are very famous on attacking to biggest
website such as FBI, Apple, Facebook. (Learn Ethical Hacking and Penetration Testing
Online, 2016) Other website features commonly vulnerable to XSS attacks are:
• Search Engines
• Login Forms
• Comment Fields
Remote File Inclusion mostly found on every website. Hacker execute server-side commands
as user log in, this giving hacker access to files on the server. By this access authority, hacker
can take over the whole website system, (Learn Ethical Hacking and Penetration Testing
Online, 2016) RFI can lead dangerous happen on the website:
5. DDOS Attack
Distributed denial of service attack is shut down the website makes user can’t view the
website. The website attack by DDOS will temporarily or indefinitely shut down, the
bandwidth and resources of any website not able access to legitimate users. (Learn Ethical
Hacking and Penetration Testing Online, 2016)
1. Do It Yourself
Normally some programmer will write the Python scripts to filter out the bad traffic, and
some will use existing firewall to block the traffic. As nowadays DDOS attack type too much,
this few methods may couldn’t work as the attack too large. (Sean Leach, 2013)
Something similar to Do It Yourself, but this method is purchase and deploy dedicated DDoS
mitigation appliances. These specialized devices are special built, it will filter the malicious
traffic with detect and put locate in front of the server and router.
For the device some user may think the device is extra because user must be around the
device and this device do nothing until the server get attacked. Some more it cost expansive
to hire professional security engineers to control the devices. But these device disadvantage is
can’t handle huge volume attack. (Sean Leach, 2013)
The Generic Routing Encapsulation had been creating by the CISCO. It is a tunnelling tool to
process the data packet from the router to router. GRE has a private connection from one-to-
one network link. The Virtual Private Network (VPN) also have similar features same as
private communication. Example, router sending the encapsulated packet transmits over to
the internet, from the internet send the data packet to another router. This process called as
GRE Tunnel. The purpose is to protect the packet sent to another router by the internet.
Example, GRE tunnel is encapsulated the third part of OSI, which is the network layer
protocol. [GRE08]
OSI is a model to define the network protocol and each layers has different function. There
have 7 layers in the network. OSI model of seven layers are Physical layer, Data Link Layer,
Network Layer, Transport Layer, Session Layer, Presentation Layer and Application Layer. In
the GRE Tunnel, the network layer is required into it. It is about the router transport data
packet which was IP address to the internet. It provide the connection between each other to
transmit the data like VPN functionality. Transport layer also got include in the GRE Tunnel.
[Bea17]
Figure 1: GRE Encapsulation Packet of function [Tro17]
In the IP packets, GRE has encapsulated the network layer protocol which is the common
standard of protocol RFC 1701 and RFC1702. There are particular of protocol that needs to
implement it. The GRE has specific in RFC2784 and it was used into the IPv4 and IPv6
which is the IP address to encapsulate to the IPv4 packets. IPv4 address is finished, the IPv6
continues the IPv4 address that was bigger space compared to the IPv4 address. [ali17]
GRE Tunnel provides a port for devices so it could transfer the data packets. There have four
types of form to encapsulation the packet in generic routing encapsulation. Such as Delivery
Header (IPv4), GRE Header, Payload Header (IPv4/ IPv6) and Payload. [GRE17]
Generic Routing Encapsulation tunnel can support the many types of packet and protocol to
run the progress. Example, Encapsulation, and De-Encapsulation on the Switch. [JUN12]
Encapsulation Process
- The switch receives the payload that it needs to send to the GRE Tunnel ports.
- The tunnel ports have encapsulated the data information into the GRE packets and system
will take GRE packet encapsulate into IP packet.
De-Encapsulation Process
- If the IP packet has reached the destination, the switch will check the destination address
to confirm that the address is correct.
- IP header will be removed and the packet also sent it to the GRE protocol.
- GRE protocol will separate from the GRE header and submit the packet to transmit it.
Advantage
- Generic Routing Encapsulation can encapsulate multiple protocol in the GRE Tunnel.
- GRE Tunnel also provide the function for user to send the types of traffic from one
destination to another destination.
- GRE make user can easy to use and learn the process of GRE command prompt.
Disadvantage
- GRE has encapsulated the external packet but the internal packet still need IPsec to
secure the payload if don’t add IPsec which is ESP features, it could not fully protect
the packet.
- GRE don’t provide any security of encryption and authentication but IPsec has this
few features to make GRE Tunnel become more secure.
- GRE tunnel create a point-to-point connection like VPN but it is less security.
- The single backbone protocol could package more protocol in the GRE tunnel.
- The GRE tunnel provides a solution that can solve the limited hops of the network.
- Better support the devices and system that already can’t operate the IP-in-IP packets.
- The tunnel can receive the packets according to some optional field so will be useful in
some UDP application.
Security features
GRE protocol could use the additional encrypted key that can provide the tunnel to increase
the security for the address.
IP-in-IP has a similar function which is same as GRE. It works encapsulation protocol but it
more easily than GRE tunnel. By using this technique, IP protocol will be encapsulated and
put in the IP header. Besides that, the difference with GRE tunnel is IP-in-IP tunnel can’t
proceed more at the same time such as multiple protocols.
- Encapsulation of the IP packet can support the devices but not for GRE protocol
GRE and IPsec are different in security features. GRE works in encapsulate the GRE Header.
It means the GRE tunnel only protect the external protocol of GRE Header. If IP packet needs
send one network to another, while using the GRE Tunnel, it can’t be analysed or processed
like IP packets by any intermediate of the router.
Generic Routing Encapsulation has given the simple steps to guide the user and provide the
easier way to help user could know the configuration. The packet that sent to the GRE tunnel
will be routed to the port and cover the packet then become new packets.
IPsec is a protocol that helps to solve the GRE Tunnel Security Issues. It allows the packet
that using GRE Tunnel cover the external and IPsec can combine with GRE Tunnel to wrap
the internal protocol. It encapsulates the internal protocol to aware the unauthorized user
could break the GRE. It is more secure than GRE while combining two feature together.
Example, the GRE packet has added one of the securities called Encapsulating Security
Protocol. This security could provide the service to protect the IP address. The GRE give a
VPN tunnel to pass through the tunnel but it doesn't provide the encryption for the protocol.
There have some security threats could affect the GRE Tunnel progress. Besides that, IPsec is
using the full set of protocol for analysis the encryption.
The difference of GRE and IPsec is GRE process the data faster than IPsec because it doesn't
provide any encryption and IPsec is converted the packet and add the security of encrypting
and decrypting so it should take some time to proceed it. IPsec has encapsulated the payload
which means the user data or internal packet of a protocol. IPsec can’t be supported in
multiple protocols like GRE Tunnel but it provides security features to secure during the
tunnel process.
Figure 3: [Enc17]
From the picture, it need to prepare 3 routers and GRE Tunnel to do the configuration of the
process and proceed the encryption to protect the packets.
There has a problem in this version of GRE got decapsulation vulnerability. It is the version
1.0 of GRE program. There has some bug in the GRE, it has listed out the problem while the
developer has understood the problem. I have three of bugs that make the GRE can’t
function. There have a people who are from Phenoelit that report the issue to let Cisco know
about it.
The product that has been affected is Cisco IOS software such as 12.0, 12.1, 12.2 version.
The version has to give the GRE functionality become not working in GRE Tunnel between
two points of routers. It still has some version are not affected so it can be used as usual.
The Cisco has created a sample of solution to teach user know how to solve and fix the
problem. I need to debug the tunnel so GRE tunnel could process the function. There also
update some new features to make sure that the problem can’t appear again. The software got
a problem of the version in 2006. It also giving some website for the user to know more
information and try to get the feedback from users.
Cisco NX-OS has support the GRE header which is RFC 2784 and RFC1701 is not
support by the cisco NX-OS.
The Tunnel process need same VRF, if not the data can’t transmit and failed to
proceed to pass through the GRE Tunnel.
GRE Tunnel don’t support the function to run the multicast.
2.6 Configuration of Generic Routing Encapsulation
[Aru16]
Example of the process of GRE Tunnel command prompt in cisco packet tracer:
This is the first step to configure the router 1 to proceed for GRE Tunnel Connection. It create
the port to link the other router and put the IP address and make the GRE Tunnel to
understand the final destination.
Figure 6: Configuration of Router 2
This is the second step to configure the Router 2 to add the IP address and open the port to
link the other router. After the process of Router 2, the connection between Router 1 and
Router 2 has connected.
This is the third step to configure with OSPF in router 1 to add the network area of address.
Figure 8: Configuration of OSPF in Router 2
This is the last step to configure the router 2 with OSPF to run similar as Router 1 but the
network area address is different.
After this few command prompt, the connection between sender and receiver has built the
GRE Tunnel in Cisco Packet Tracer. The configuration has completed to the both user. The
sender can transmit the packet through the receiver by using GRE Tunnel to proceed it.
Tablets and smartphones are becoming popular each day and year, and the operating system
for these devices are as important as these devices. Operating system such as Android runs
for low powered battery devices and are for hardware just like Wi-Fi, camera, light, different
sensors, and touch screen. Just like all other operating systems, Android enables applications
to make sure all the running in a way to provide a characterized environment for applications.
Just like applications for other operating such as iOS and Symbian, Android applications are
also written in java and run on virtual machines. These applications are executed by Dalvik
which is a core component and executes its own byte code. Android market is a place where
all the applications can be accessed for users to download. Google is the one who bought the
Android platform from Android Inc. and released Open Source Project. Open handset
Alliance (OHA) is a software to develop applications and is freely acquired from a central
repository [Goo] and the BSD and Apache license can be modified. [Ope17]. Android system
is based on a Linux 2.6 Kernal which allows Android to run effectively and efficiently on
mobile devices. The focus for Android is always to optimize the infrastructure on the limited
resources on mobile devices. [Lia10]
The modified Linux Kernel operates as the HAL, and Android Architecture runs on three
different layers such as Application layer, Libraries layer, and Linux Kernel layer as shown in
Figure 1. These layers provide networking functionality, memory management, process
management, and device drivers. [INC17]
Figure 1
Blue items (Application layer) runs in the Dalvik Virtual Machine and written in Java. Green
items (Library layer) are written in C++/C.
1. Application Layer
It is the top layer of the android architecture and contains all the necessary applications like
browser, call, SMS, Google maps, calendars, and other applications. To operate these
applications, the applications works with end user. Application layer also contains the
Application framework and developers can extend and reuse the components presented in
API. Application layer have different managers such as: - [Lia10]
Activity manager
This manager controls all the activities and manages the lifecycle of application.
Resource manager
This manager gives access to encode resources like graphics, etc.
Notification manager
This manager displays custom alerts in status bar for all the applications.
Location manager
This manager handles a geographic location of the user.
Package manager
This manager retrieves the data and information of the installed packages on the
device.
Window manager
This manager creates layouts and views.
Telephony manager
This manager stores all the information and settings of a network connection about
services on device.
2. Android Runtime
Android has a DVM (Dalvik Virtual Machine) where all the applications executes. It is also
allowing user to use more than one application at the same time. [Lia10]
3. Libraries
Android library is written in C++/C and has its own libraries. Application framework can be
used to access these libraries directly as these libraries cannot be accessed directly. These
libraries have libraries for video formats, web libraries to access web browsers, etc. [Lia10]
4. Linux Kernel
It is the core layer of android architecture and gives services like security, memory
management, and power management which helps in hardware and software for better
communication. [Lia10]
Internet Protocol Voice over Voice (VoIP) transmission in 1973 was the IP for voice use
designed for ARPA.NET. However, VoIP entered the market in the 1990s as a way to save on
transmission costs by leveraging rich voice information constraints. Its capacity is to use
existing LAN and WAN availability for voice communications to reduce the cost of
enterprise open telephone system (PSTN) operators. At the same time, the ITU (Global
Media Communications Consortium) advanced H.323 as an agreement in 1999, which is an
ISDN (Joint Management Computerized System) style VoIP practice. In addition, by the
beginning of 2000, the IETF completed the standardization of Internet-based VoIP protocols
called SIP.
H.323 has the advantage of being able to serve multiple parts, including media
communications (information conferencing, video and voice), and applications that are
essential to interoperate with the PSTN. H.323 is established for communication through an
IP system and is the best way to communicate via a packet-based network.
Today, since 2006, H.323 cannot be long, SIP is better, suitable for IP and Web applications,
so become the choice of the Internet community. However, SIP has a large vulnerability,
leading to security threats, H.323 has better security. Finally, H.323 is more inclined to the
local network.
2. Q.931, a protocol borrowed from ISDN, also used for call signalling
6. H.450.x for additional services like call transfer, call diversion, etc.
Setup:
First terminal register itself with the gatekeeper using the RAS protocol (Register,
admission, status) sending an ARQ message and receiving an ACF message.
using H.225 protocol (used for setup and arrival of the call) terminal T1 sends a
SETUP message to Terminal 2 asking for an connection. This message contains the IP
address, port and name of the calling client or the IP address and port of the called
client.
Terminal 2 sends a CALL PROCEEDING message warning on the attempt to
establish a call
Terminal 2 must register it in the gatekeeper as T1 previously do.
Now warning message send to shows that beginning of the connection.
Control signalling:
At this stage, transactions using H.245 conventions (conference control), messages between
two terminals (demand and reply) establish their own identity as well as slaves, members of
the restrictions and sound and video codecs. When the transaction is complete, open the
communication channel (IP address, port).
Terminal Capability Set (TCS). Message sent to support the terminals that take part
in a call
Open Logical Channel (OLC). A message sent to open the logical channel which
contains information that allows the reception and codification of the data. It contains
information of the data type that will be sent.
Audio:
Call release:
The calling terminal can initiate the ending process using the (Close Logical Channel)
and (End Session Command) messages to finish the call using again H.245.
a release complete message is being sent to stop the connection using H.225.
the final step is register the terminals in the gatekeeper are stopped by using RAS
protocol.
H.235 protocols for security platform in H.323:
Authentication for H.225.0 signalling using X.509 digital certificates and signatures.
H.235.7: Usage of the MIKEY Key Management Protocol for the (SRTP)
SRTP keying parameter transport over secured signalling channels (IPsec, TLS,
CMS).
H.235.9: Security Gateway Support for H.323
Discovery of H.323 Security Gateways (SG = H.323 NAT/FW ALG) and key
management for H.225.0 signalling.
The H.323 architecture enables end-to-end signalling such as terminal interconnects and
logical channel establishment, as well as TCP / UDP ports (16384-3327) that use IP addresses
in particular. The H.323 organization consists of at least one area, and a region is a wise
authorization of the h323 gadget, supervised by a lonely guardian. Regional restrictions can
be established on regulatory breakpoints, tend to structure, geology, etc., including more
regional oversight, including more gatekeepers, in the form 3 of the work patterns, and can be
accessed in the widget 2001-02 The following is the H.323 regional project case.
Terminals:
The gateway is the interface between the LAN and the switching circuit network, which
explains the communication technology, the design between networks, call setup and
removal, and compression, and voice packets are like IP / PSTN gateways.
Gatekeepers:
The gatekeeper is a smart gadget for H.323 architecture and administration Each goalkeeper
handles an area (a focused endpoint, portal, and MCU). As David shows, it has an
accompanying mandatory feature:
Gatekeepers also may implement optional functions and features such as:
- Authorization
- Resource management
- Call control signalling = act as rendezvous point also for terminal-to-terminal
signalling (H.245)
- Resource reservation = for end-point not able to run reservation protocols like
RSVP
- Call management = multimedia calls and complex services
- Gatekeeper management information = remote management via SNMP on
standard MIBs
- Directory services.
Every gatekeeper can be an proxy signalling, and might be the interface toward extra
services, may likewise compel information stream exchanging, carrying on as a conventional
PBX (computational and traffic burden).
MCU (Multipoint Control Unit) is an endpoint that backings gatherings between at least three
endpoints. It can be still solitary gated like PC or incorporated into a gateway, gatekeepers or
terminal, comprises of Multi-Point Controller (MC) and Multi- (MP)
Gateway2
Gatekeeper 1
Gatekeeper2
H323 and SIP have advantages and disadvantages. Unlike H.323, SIP leaves the details of the
implementation of the feature to the developer, which gives great flexibility in designing or
using protocols. SIP is also simpler than H.323, it requires fewer messages to build sessions.
H.323 requires a relatively large number of message exchanges to build and manage sessions,
but it is also highly reliable and secure. Thanks to the flexibility and scalability of SIP, it
quickly gained momentum in the early adopters of today's booming IP telephony systems.
H.323 also has a tightly defined service implementation and all instances of H.323 that can
support H.323 across firewalls. In addition, VoIP H.323 still requires some of the traditional
providers. In addition, H.323 requires a lot of flexibility and performance improvements, as
well as adding more security options included in H.235.
Group Part
Question 1
In the networks, normally the internet on local area network from untrusted networks gonna
be separate by demilitarized zone (DMZ) which is physical or logical subnetwork. External
facing servers, some internal LAN remain unreachable from the internet but only allow
services and resources locate in the DMZ. Hackers will be blocked to direct access the
internet by the LAN with the additional layer from provider. (Cobb, 2012)
DMZ store the service of users on the internet, basically will store those services such as
Web, Mail, DNS, FTP, and VoIP. Hackers can reach those services in the DMZ so the DMZ
need to be stronger defends to constant attack. (Cobb, 2012)
DMZ is designed by few ways, the two common methods are single and dual firewalls. It
depends on the network requirements to expand create architectures. Single firewall design
with at least three network interfaces to create a network architecture containing with DMZ.
The first interface from ISP to firewall form by external network, second network interface
form the internal network, and third network form the DMZ. (Cobb, 2012)
Another method more secure create a DMZ with two firewalls. First firewall configured to
allow traffic destined to DMZ only, internal network from the DMZ only receive traffic
which is second firewall or internal firewall. It is using two firewalls because consider to
more secure since two devices would compromised if hackers ready attack and will access
the internal LAN. For example, a network intrusion detection and prevention system located
in a DMZ that only contains as Web server can block all traffic except HTTP and HTTPS
requests on ports 80 and 443. (Cobb, 2012)
As a network security specialist, will recommended on using Cisco ASA 5500-X with
Firepower Services, this model Stay more secure. This NGFW has earned the highest security
effectiveness scores in third-party testing for both NGIPS and AMP, blocking 99.4% and
99.2% of threats, respectively. Get visibility into and control over activity across your
network. Gain insight into users, apps, devices, threats, files, and vulnerabilities. Extend
protection from the data centre to mobile devices, integrated approach to threat defense
reduces capital and operating costs as well as administrative complexity by consolidating
multiple security services in a single platform. Automate security tasks to increase agility and
speed remediation. (Cisco, 2017)
Question 2
The File Transfer Protocol (FTP) is basically for transferring files from one computer to
another computer over a network and internet. So, the company requires implementing FTP
with the username and password for each transaction where these clients can put and get files
through FTP to the same server. Transferring from a server to a client computer is called
“downloading” and transferring files from a client computer to a server is called “uploading”
which can be seen in figure 2 below (DeskShare, 2009).
Figure 2: FTP Protocol
There are certain requirements for using FTP which can be such as (DeskShare, 2009): -
1. An FTP client like Auto FTP Manager should be installed on the client computer.
2. Need some information about the FTP server a client wants to connect to. The FTP
server address is needed to type which looks like any other browser web sites such as
ftp.abc.net. Or it can be a numeric address as well such as “68.175.255.84”.
3. A username and password is required but some of the FTP servers let user/clients
connect anonymously without the need of username and password.
FTP has a standard port number for FTP servers to listens for the connection and uses
commands for receiving and sending data. A port is a logical connection point for
communication using the internet protocol (IP). FTP servers use standard port number 21
only for sending commands and is referred to as a command port. For instance, the FTP
server sends a list of all the files and folders presented on the FTP server and the internet
connection port will be used to transfer the date which is called a data port (DeskShare,
2009).
The FTP server can support Passive or Active connections, or sometimes both. When the FTP
connection is active, the client opens a port to listen and the server will actively connect to it.
A client or user must have an auto FTP manager access to the Internet to choose the correct
type of FTP connection mode.
1. Passive Mode
Using Passive mode is always an advantage because most of the FTP servers supports
Passive mode. Administrator have all the rights for the passive FTP connection to accept all
the connections to any ports from the firewall for the FTP server to open as shown in the
figure 5 below. When the FTP client gets to open the internet connection, one for data and
another for command, then it means that the communication with the FTP server has been
started. Then the folders and files can be transferred between two connected computers with
auto FTP manager (DeskShare, 2009).
2. Active Mode
Active mode is only good for when a firewall should be set to accept the connection to the
port that a client FTP will open. That is why many of the internet service providers block
incoming connections to all ports above 1024. As for data port, active FTP normally use port
20 (DeskShare, 2009).
Figure 6: Active FTP
Question 3
Engineering and IT workstations must be able to access the Internet (to reach APIIT Sri
Lanka) over HTTP and HTTPS with DNS. No other protocol access is allowed to the
Internet. Before connecting the internet, DMZ have to receive the access request to the
firewall from those workstations. After that firewall will allow or deny the request base on the
list figured out from access control.
Basically, ACL will be into two types which is standard ACL and extended ACL. Standard
ACL used to control traffic by the comparison of the source address of the IP packets to the
addresses configured in the ACL. (Wilson, 2012)
The workstations in engineering and sales should be able to access the Internet over HTTP
and HTTPS which no other protocol access is allowed to access Internet. This means
workstations in sales and engineering have to send access requests to DMZ and then after that
to firewall before connecting to the internet. Therefore, the access control list figures out
which requests is allowed or denied in the firewall.
There are two types of ACLs which are standard ACL and extended ACL. The standard ACL
is the oldest form of ACL which is used to control traffic by the comparison of the source
address of the IP packets to the addresses configured in the ACL. The command syntax for
standard ACL will be: (Wilson, 2012)
To control the traffic in the ACL, the IP packets of the source and destination to the address
will be configure by compare with extended ACL. The command syntax format of extended
ACL’s written below:
The ACL used in the DMZ with aim of the controlling the traffic needed to apply with few
rules to access and deny command. Below is the example of the access and deny command:
When the internet receives the request form the workstations client at the same time, ACLs in
firewall interface have to ensure and confirm that the IP addresses of both workstations are
given access to Internet by firewall. When workstations send request to grants access to
firewall, the request will be carried forward to Internet through firewall. ACL will block
access to any ports when any other protocols or packets that tries to get through the Internet.
The ACL will try to first synchronize the requests from the client before denying if it is
different from the requirements of the configurations. The denied request will then be
removed or delivered to the next statement condition in ACL. (Wilson, 2012)
Question 4
In the scenario the client workstations of sales, engineering and finance must be able to get
access to the e-mail and mail server at the DMZ. The design below of figure 4 shows that the
client workstation will be able to send requests to mail server to check the mails. Such
request will need to go through firewall and DMZ to get to mail server and these requests will
sent packets to client workstations passing through the firewall and DMZ.
Email Servers
The facility of email servers is commonly overlooked while it moves towards to secure the
network because normally the email is the one that mobile workers and email want access to
the best and it is an easy way to send the appropriate ports straight to the internal mail server
on the most trusted networks rather than having it on the secure side of DMZ.
The practice of sending ports can be avoided by deliberating the type of information that is
kept inside the mail server. The mail front-end and the proxy services should be working to
make sure the primary mail server is not easily exposed to external networks. The incoming
mail should go through the DMZ security to be scanned for any type of threats and SPAM to
make sure it is communicated to the right network. Web based emails are easily accessible,
and that is why a solid reverse proxy configuration should be executed to make sure that the
web based stays away from the untrusted networks and the mail services stays within the
authenticated workers (McKeag, 2004).
An extended ACL configuration is required to secure the DMZ for a protected gateway. To
check the mails, there should be certain rules applied in the firewall for client workstations to
send the request for checking the emails, and the server should be configured in a way to
accept and allow access from mail server to client’s workstations.
For the configuration, there are five steps which need to be followed (Byrd, 2009): -
1. Enter the E-mail and Web server IP address in the firewall interface to allow access of
the request sent in for firewall.
2. In the firewall interface, perform the ACL command prompt coding.
3. Add multiple entries in the ACL because there will be several clients checking their e-
mails. Apply only the Simple Mail Transfer Protocol (SMTP) to packets for the
communication between the mail server and the client workstations.
4. Set the destination address and the source of the port.
5. Set the packet filtration to deny or permit on matching the protocol, source,
destination address, and the port of packets.
Question 5
SMTP (Simple Mail Transfer Protocol) is the TCP / IP protocol used as part of sending and
receiving e-mail. In any case, due to the ability to limit the ability to queue messages at less
desirable ends, it is typically implemented using one of two different protocols POP3 or
IMAP, which allow the client to alternate messages in the server mailbox and occasionally
Download from the server. At the end of the day, users often use a program that uses SMTP
to send e-mail, as well as POP3 or IMAP for receiving e-mail. On a Unix-based system, send
mail is the most commonly used e-mail SMTP server. Business bundles, Send mail, into
POP3 server. Microsoft Exchange integrates an SMTP server and can also be set to include
POP3 support.
Configuration:
The configuration is implemented on email server and mail configuration on each user
workstation on company b and company a.
Step (2): receiving the mail from finance department to engineering department is been
successfully
Solution:
Use the Simple Mail Transfer Protocol (SMTP) in the company's e-mail server to send and
receive messages between users of the same or different companies. Try to collect e-mail
from the outside department from the finance department to the internal network company
from the engineering department, and the SMTP server in the e-mail server must be opened.
Therefore, the mail from the financial sector to the engineering department.
Question 6
The sales, engineering and finance department can’t access the other client department while
send the PDU from one client pc to the APIIT Sri Lanka of IT Department PC. It can use the
access block service to deny all the client pc except APIIT IT department. The configuration
is to make the router can’t send it through the other router. It means the APIIT IT Department
PC can’t receive the access inform from the other department of pc. The router has
implement the command prompt of access block service to avoid other pc can directly access
without permission.
The standard access list (ACL) can provide the access for permit or deny the other network
protocol to access the other department of network protocol which is router. The ACL is
based on the IP address that can process of the checking about network traffic in the cisco
packet tracer. The standard access list could be created the number from 1 to 99 to type the
command prompt in the router to see the result.
The ACL should be suitable for APIIT Sri Lanka of IT Department to deny the access for the
service. The three of department only can send the packet through the APIIT router. The
APIIT router will analysis the packet from the other network protocol and confirm the
permission. If the router has been implement the command of access list which is deny all the
other protocol to access the client pc so the router will direct to avoid the other protocol to
access the APIIT Sri Lanka of IT Department.
The router will know the IP address that implement it, if got other router which is different IP
address still can access it to the IT Department. It need to make sure that the router that put
into deny command can prevent the other router could get access it. The router that need to
configure should know the other router of IP address to do the deny service. During the
configuration, the router will check the packet and put the command prompt to successful, it
will reject the packet means failed to proceed it.
Question 7
APU main campus at Kuala Lumpur and APIIT at Sri Lanka requires layer two security to
have a secure LAN. For making the network safe and secure to use, there are several security
solutions which needs to be applied which are (Telelink, 2013):
MAC Security (MACSec) is a protocol that provides encryption and the prevention of data
traffic between devices on a layer 2 segment. For instance, a secure communication between
end host and the switches or between two switches in a network. IEEE 802.1ae standard has
been the part of its functions and the protocol.
2. Network Authentication
If the user is authenticated only EAPOL traffic is allowed on a port. IEEE defines a standard
for port-level access control (802.1x)
3. Advanced L2 Security
For securing the upper layer protocols, OSI Network layer 2 security should be applied,
because attackers can attack Layer 2 functions and make it weak, so it should be addressed
properly. this security technique comes with the features like ARP Inspection and DHCP
snooping.
4. Port-Level Security
This is a set of Layer 2 switch port security techniques which comes up with features like
port-related security just like storm control and limits the maximum MAC addresses learned
on a switch port.
5. Device Security
There are many components of network devices which can enable endpoint hosts to
communicate such as software and hardware like firewalls, router, hubs, switches, etc. for
proper communication between servers and end hosts like workstations and servers, network
device security itself is a network device that ensure the safe and proper communication. By
this security, it disables the unused services, configures the management and secure the
management and control planes of a device. Device security also make sure that it is
physically safe and secure from accessing unauthorized (Telelink, 2013).
Question 8
Bastion hosts typically access using SSH or RDP and is instance that locate within public
subnet. When the bastion host establish by the remote connectivity, it will act as jump server,
login to other subnets but not private and deeper within own network by allow to login with
SSh or RDP. The bastion host will work as a bridge to private instances via the internet when
security groups and network ACLs through with configure properly. Normally bastion host
are used for requiring remote connectivity with own private instances over the public internet.
(Stuart, 2015)
Bastion hosts prefer to a special network with their own and recommended to located on a
network without carry any confidential traffic. Most Ethernet can control in “promiscuous
mode”. In this mode, the interfaces which is connecting on the network all the packet can be
capture, which is better than just only packets addressed to one machine. There is another
type of network interface such as FDDI, this type of network interface base on the network
architecture to capture the packets, sometimes it will capture some packets not specifically
addressed to them. (Docstore.mik.ua, 2002)
Bastion host has a useful purpose which for network analysis, testing, and debugging. But the
worst is bastion once the bastion hosts is compromised, user doesn’t want to snoop on this
traffic. Not put bastion hosts on internal network is one of the way to approach problem
instead put them on a perimeter network. Using perimeter net with packet filtering router will
giving more advantages, but if a bastion host is compromised, by reducing the number of
hosts and services the compromised bastion host can access. If can’t put bastion hosts on
perimeter network, put them on a network that not susceptible to snooping. (Docstore.mik.ua,
2002)
Be careful snooping the network on hosts to prevents in ability. To protect the networking
devices same level as protect the computers. Many network devices support remote
administration, a Telnet server provided by a switch may often a wide variety of interfaces.
Step in building Bastion Host (Witter, 2017)
In this part the question asked for connection between the Kuala Lumpur office and the Sri
Lanka office. This requirement is required to successfully implement this connection, such as
having a router that can connect to a different network in each geographic area, as well as
additional features including Virtual Private Network (VPN) and Secure Sockets Layer
(3SSL) The
VPN technology is based on a concept called a tunnel. The technology involves establishing
and maintaining logical network connections. In such a connection, simply encapsulate the
packet in some basic protocol standards, and then between the client and server transmission,
and finally in the receiving end of the encapsulation.
There are several different protocols have been implemented for these VPN tunnels which
each one is appropriate for different industries. Generally, these protocols are not compatible
with each other. Based on the security level requirement they will be chosen. The list below
explains a brief introduction to three common protocols have been using in VPN tunnelling
technology
This protocol is commonly known by people as associated protocol with Microsoft product.
Although many experts believe that this protocol in the sense of security is weak, it’s been
using by many vendors as a compatible protocol
The data information is not secure to transmit through the internet. The unauthorized user
will force to access the connection between sender and receiver to steal the data or change the
data. There has some technique to protect the data for avoid hackers could know the specific
data. Some of the security threats like eavesdropping, spyware or malicious attacks.[Sni17]
The goal of implementing Intrusion Detection System (IDS) is to track system activity and
monitor the suspicious activity of the system. In the event of a suspicious behaviour in the
system, IDS will alert the system supervisor that IDS will respond to suspicious tracks by
preventing users from entering the system
There are two types of Intrusion Prevention System (IPS) that can be extend to Implementing
Intrusion Detection System (IDS) .by adding the ability to block threats after detecting them.
In the diagram below will explain the process of Implementing Intrusion Detection System
(IDS) in the company system, you will notice there are two IDS systems; one inside the
network and the other outside. The IDS devices keep in constant contact of the Monitor
Servers and inform them of any change in the network infrastructure.
In this diagram below it explains the difference between IDS and IPS:
There are many types of Implementing Intrusion Detection System (IDS) that can secure the
environment of the company of threat breaches from (Kuala Lumpur) office to (Sri Lanka)
office this one of them. And this the (IPSec) as shown below:
Question 12
Question 13
Solution [Sys16]
The main purpose is to configure the SSL encryption has proceed between Sri Lanka and
Kuala Lumpur of two routers.
Certificate Authorities (CAs) is the certificate that could manage to do the requests and issues
of IPsec network devices. It provides a centralized key management for the IPsec network
devices. The connection between point-to-points of router has to send the message which is
encrypted. The sender could use the DSA algorithm to protect the message, the DSA can
provide a public key cryptography but RSA could provide one public and one private keys.
The process of Implement Secure Socket Layer is need to use the application which are
HTTP server or XML management agent to perform the configuration of SSL encryption.
Steps
First: crypto key generate rsa general-keys (Prepare a key to specify in the RSA)
Second: configure
Fifth: enrolment url CA-URL (The certificate authorities of http website link)
Sixth: commit
Conclusion:
The Implement of SSL configurations is complete and the data will be protect by encrypted.
Figure: Example of Configurations Process
[Cli16]
Conclusion
The goal of this assignment is to provide the security of the external threats of the DMZ and
the internal network. Many features have been implemented to achieve this goal, such as
providing password encryption at each layer of the network, creating VLAN switch port
security for Layer 2 switches, connecting to the Internet using embedded IPSec and ISAKMP
VPNs, creating an access list, and Provide the bastion host as a proxy application. In general,
the security of network connectivity between A and B is improved after implementation. We
recommend that there are ways to protect the company's environment by implementing a
network to improve the overall security of the network. This can be achieved in the VPN
tunnel, the successful implementation of the second layer of securities on the BPDU Guard,
to create another can support other protocols (such as TFTP and AAA authentication) server
to improve the security of network allocation.
Reference
Banffcyber.com. (2017). Best Practices to address the issue of Web Defacement | BanffCyber.
[online] Available at: https://www.banffcyber.com/best-practices-to-address-the-issue-of-
web-defacement/ [Accessed 25 Sep. 2017].
Byrd, J., 2009. Five Critical Steps for Configuring an SMTP Mail Server. [Online] Available
at: http://www.logicalhalf.com/2010/03/five-critical-steps-for-configuring.html [Accessed 1
October 2012].
Cisco (2017). Cisco ASA 5500-X Series with FirePOWER Services. [Online]. 2017. Cisco.
Available from: https://www.cisco.com/c/en/us/products/security/asa-firepower-
services/index.html#~stickynav=1. [Accessed: 2 October 2017].
Kumar, C., Kumar, C., Kumar, C. and Post, G. (2017). 7 Website Defacement Monitoring
Tools for Better Security. [online] Geek Flare. Available at: https://geekflare.com/website-
defacement-monitoring/ [Accessed 25 Sep. 2017].
Learn Ethical Hacking and Penetration Testing Online. (2016). 6 Ways to Hack or deface
Websites Online. [online] Available at: https://www.hackingloops.com/6-ways-to-hack-or-
deface-websites-online/ [Accessed 25 Sep. 2017].
Stuart, S. (2015). AWS Security: Bastion Host, NAT instances and VPC Peering. [online]
Cloud Academy Blog. Available at: https://cloudacademy.com/blog/aws-bastion-host-nat-
instances-vpc-peering-security/ [Accessed 30 Sep. 2017].
Wilson, T., 2012. Securing Networks Access List Implementation on Cisco Routers. [Online]
Available at: http://www.trainsignal.com/blog/access-control-list-implementation-on-cisco-
routers [Accessed 20 September 2012].
Rouse, M. (2008, October ). S/MIME (Secure Multi-Purpose Internet Mail Extensions. Retrieved from
TechTarget: http://whatis.techtarget.com/definition/S-MIME-Secure-Multi-Purpose-Internet-
Mail-Extensions
Rouse, M. (2014, November). Pretty Good Privacy (PGP). Retrieved from TechTarget:
http://searchsecurity.techtarget.com/definition/Pretty-Good-Privacy
Sniffing (network wiretap, sniffer) FAQ . (2017, September 30). Retrieved from baylor:
http://cs.baylor.edu/~donahoo/tools/sniffer/sniffingFAQ.htm
SSH Secure Shell/SFTP. (2017, September 30). Retrieved from VCU Technology Services:
https://ts.vcu.edu/software-center/general-purpose/ssh-secure-shellsftp/
System Security Configurations Guide for the Cisco CRS Router Implement Secure Socket Layer . (2016,
September 7). Retrieved from Cisco:
https://www.cisco.com/c/en/us/td/docs/routers/crs/software/crs_r4-
2/security/configuration/guide/b_syssec_cg42crs/b_syssec_cg42crs_chapter_01010.html#re
f_1027265_sysseccg_12
"Voip Protocols: Introducing H.323." Toncar.cz. N.p., 2013. Web. 2 Oct. 2017.
"What Is H.323? - Definition From Whatis.Com." SearchNetworking. N.p., 2015. Web. 15
sep. 2017.N.p., 2011. Print.
"Voip Protocols: Introducing H.323." Toncar.cz. N.p., 2013. Web. 25 sep. 2017.
"Voip Protocols: Introducing H.323." Toncar.cz. N.p., 2013. Web. 2 sep. 2017.
admin. (16 Aug, 2011). ERIC LEAHY (The World of Networking). Retrieved from Implement IPv4
tunneling and Generic Routing Encapsulation (GRE):
http://ericleahy.com/index.php/implement-ipv4-tunneling-and-generic-routing-
encapsulation-gre/
alied-telesis. (22 Sep, 2017). Retrieved from Chapter 19 Generic Routing Encapsulation :
https://www.allied-telesis.co.jp/support/list/router/ar300/m027400b_pl3_990902/GRE.pdf
Arush. (28 October, 2016). HOW TO CONFIGURE GRE TUNNEL IN CISCO ROUTER. Retrieved from
ipwithease: http://www.ipwithease.com/how-to-configure-gre-tunnel-in-cisco-router/
Beal, V. (31 January, 2017). The 7 Layers of the OSI Model. Retrieved from Webopedia:
http://www.webopedia.com/quick_ref/OSI_Layers.asp
Cisco IOS GRE Decapsulation Vulnerability. (03 October , 2017). Retrieved from CISCO:
https://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20060906-
gre
Configuring a Tunnel with Generic Routing Encapsulation. (03 October, 2017). Retrieved from
Advanced Management Config Guide: ftp://ftp.hp.com/pub/networking/software/SR7000dl-
Adv-C11-GRE_Tunnel-Nov2006.pdf
Configuring IP Tunnels. (03 October, 2017). Retrieved from Cisco:
https://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/4_2/nx-
os/interfaces/configuration/guide/if_nxos/if_tunnel.pdf
Encrypted GRE Tunnel with IPSEC. (02 October, 2017). Retrieved from NetworkLessons:
https://networklessons.com/cisco/ccnp-route/encrypted-gre-tunnel-with-ipsec/
GRE (Generic Routing Encapsulation) : Point-to-point & multipoint GRE. (29 June, 2008). Retrieved
from cciethebeginning: https://cciethebeginning.wordpress.com/2008/06/29/gre-generic-
routing-encapsulation-point-to-point-multipoint-gre/
GRE Feature Overview and Configuration Guide. (22 Sep, 2017). Retrieved from Alied Telesis:
https://www.alliedtelesis.com/sites/default/files/gre_feature_config_guide.pdf
JUNIPER NETWORKS. (10 Dec, 2012). Retrieved from Understanding Generic Routing Encapsulation:
http://www.juniper.net/documentation/en_US/junos12.3/topics/concept/gre-tunnel-
services.html
Troubleshooting Basic IPv4/IPv6 Routing and GRE Tunnels. (03 October, 2017). Retrieved from CCNP :
http://apprize.info/network/ccnp_2/13.html
X4B. (22 Sep, 2017). Retrieved from What is Generic Routing Encapsulation (GRE) and how does it
differ from IP-in-IP?: https://www.x4b.net/kb/GREvsIPIP
How to Configure VoIP Packet Tracer. 2013. [Film] Directed by Lester Rebelo. s.l.: s.n.
Khan, I. U., 2016. Improve SSL/TLS Performance with These 4 Simple Tips. [Online]
Available at: https://www.cloudways.com/blog/improve-ssl-tls-performance/
[Accessed 24 September 2017].