Tutorial #8 - Firewall Basics

The following questions relate to both lectures 7 and 8. This is the only tutorial for this week.

  1. When establishing a secure communications channel, why is it important to authenticate the peer that we are connecting to?
  2. Detail some of the possible attacks that can be performed if legitimate messages can be captured and reinjected into the network at a later point in time, without being detected?
  3. What functionality is provided by the TLS Record Protocol? Furthermore, why might a 'NULL' encryption algorithm and 'NULL' MAC algorithm be used?
  4. In typical use the Transport Layer Protocol uses a X.509 certificate to authenticate the server to the client. How can the client be sure that the certificate received actually belongs to the server and has not be provided by some attacker?
  5. Both SSH and TLS make use of symmetric encryption during communication. What challenge does this pose when designing a secure protocol?
  6. The SSH Transport Layer protocol exchanges a shared secret (K) using the Diffie-Hellman key exchange algorithm. Shouldn't this eliminate the need for the host to have a public and private key pair?
  7. Thinking question: SSH can provide optional compression as part of the Transport Layer protocol. If compression is used, should you encrypt then compress or compress then encrypt?
  8. When using SSH to connect to a remote system, a system administrator receives the following message: 

    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
29:5c:97:83:29:a8:1b:83:9e:4a:cc:a6:2a:f7:ba:f8.
Please contact your system administrator.

    What might have occurred here and what action should be taken?
  9. In the lecture it was briefly mentioned that secure protocols will often need to "re-key" at regular intervals. Why would this be necessary and how often should we do it?
  10. Assume that you are developing an application that needs to send a username and password over TCP in order to authenticate the client. You're also developing the server, so you choose to simply encrypt the password using Blowfish and a pre-shared secret. What problems might this pose? What might be a better approach to security?
  11. Both TLS and SSH provide support for protocol version identification and algorithm negotation (for both encryption and MAC). Why is this considered to be a very good idea?
  12. Explain briefly how SSH public key user authentication works. What are some of advantages of this approach?
  13. Highly recommended reading: it would well worth your time to read Bruce Schneier's brilliant essay entitled "Security Pitfalls in Cryptography". This essay is linked from the resources page.
  14. Explain the differences between a router and a firewall. Why is a firewall an important part of network security infrastructure?
  15. At a certain tertiary college, the border router blocks all outgoing TCP connections except to ports 25, 80 and 443. What security purpose do you think this is intended to serve?
  16. When a (non-filtering) router drops a packet it normally sends an ICMP message of type "Host unreachable" or "Network Unreachable" to the source address in the packet. In the case of a filtering (firewall) router, these ICMP types do not reflect the true story: the host/network is reachable, but only under certain conditions. The IETF has subsequently introduced new ICMP "administratively prohibited" error types to better reflect the true situation. However, these are widely considered to effectively identify the fact that a firewall is in place, and as a result, are not widely used. Discuss the issues involved in sending any type of ICMP response in the situation of a dropped packet.
  17. It's usually desirable to check the source IP addresses of both inbound and outbound packets at an Internet gateway router. Why? Hint: think about forged source addresses.
  18. What is Stateful Packet Inspection (SPI)? What benefits does SPI provide over using basic permit/deny rules? Would it be possible to imitate SPI using standard ACLs?
  19. Why should you log details regarding packets that have been dropped by a firewall? How often should these logs be reviewed?
  20. In the lecture we stated that a firewall rulesets should be implemented using a "deny by default" policy. What does this mean and why would it be better than the alternative?
  21. Cisco ACL time! Consider the "forged source addresses" question, above. Now, imagine you had to configure a border router between the Bendigo class-B network (149.144.0.0) and the "outside" Internet. This can be done with two Basic ACLs. Give the configuration commands needed.
  22. Once upon a time, La Trobe University, Bendigo used to provide an undergrad dial-in facility. However it did not allow any Internet access outside the university. Dial-in hosts have IP addresses on subnet 8, that is (using CIDR notation) 149.144.8.0/24. Give a Cisco Basic ACL configuration command which would implement this policy.
  23. The La Trobe University border router does not allow outbound port 80 (HTTP) TCP connections except those emanating from the proxy servers. All inbound connections are permitted. Give Cisco Extended ACL configuration commands which would give effect to this policy on the border router.