plz find the attached file.
csc3412 Assignment 3 Semester 1, 2020 Due Date: 11:59pm 26 May 2020, AEST Instructions This assignment consists of 3 questions each of equal value. They consist of common tasks required of a system administrator—tasks I have had to do at some time in the past. Some of the questions require that you complete them using the supplied virtual machine. If you are unable to use the supplied virtual machine, for whatever reason, you must contact the Examiner before submitting to organised an approved system you can use to complete the assignment. This must be done well before you submit. Clear Layout It is vitally important that your assignment is clearly laid out with questions and parts of questions clearly defined. It must be a straight forward matter for the examiner to determine that you have completed each exercise satisfactorily. We want quality not quantity. Poorly organised submissions will be rejected or receive a poor mark. A text file or PDF/A document typeset using vanilla LATEX are preferred over a document produced by a word-processor. If you must use Microsoft Word please export your document as PDF/A1 not PDF. Command Output When answering these questions you will have to run commands under Linux—whenever a command is run you will need to: a. explain in your own words the purpose of the command in the context of the assignment question. (Please do not just copy the “Description” section from the man page!) Also, you need to explain in your own words all terminology used—as if you were 1 PDF/A is an archival format of PDF that embeds all fonts used in the document within the PDF file. To ensure PDF/A format in Word check “ISO-19005-compliant (PDF/A)” under “Options” when saving a file as PDF. 2 explaining to an average user! (Please show you understand what you are doing!) b. show that the command worked—either from its output or the output from another command. For example prompt> dd if=/dev/zero of=Crypt.fs bs=1M count=32 32+0 records in 32+0 records out 33554432 bytes (34 MB) copied, 0.109063 s, 308 MB/s prompt> ls -l Crypt.fs -rw-r--r--1useruser335544322010-02-2510:18Crypt.fs c. To capture text output from programs you will have to redirect the output to a file or use the command script. If you are using the command script turn off the tty escape sequences that change the colour of console text—the escape sequences will appear in output file and make it impossible to read. • accordance with section 4.4 ‘Deferred, Supplementary and Varied Assessment and Special Consideration’ of these procedures. 3 Question 1 A “gateway” machine has been created for a small business. The following “firewall” script is run on the “gateway” machine before the gateway’s interfaces are brought up— 1 #!/bin/bash 2 3 iptables -F 4 iptables -t nat -F 5 iptables -X 6 iptables -t nat -X 7 8 iptables -P INPUT DROP 9 iptables -P OUTPUT DROP 10 iptables -P FORWARD DROP 11 12 iptables -A INPUT -i lo -j ACCEPT 13 iptables -A INPUT -i eth1 -p tcp -s 192.168.167.0/24 --dport 22 \ 14 -m state --state NEW -j ACCEPT 15 iptables -A INPUT -i eth1 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT 16 17 18 iptables -A OUTPUT -o lo -j ACCEPT 19 iptables -A OUTPUT -o eth1 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT 20 21 iptables -t nat -A PREROUTING -i eth0 -p tcp -d 133.172.114.17 --dport 25 \ 22 -j DNAT --to-destination 192.168.167.23:25 23 iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 192.168.167.0/24 \ 24 -j SNAT --to-source 133.172.114.17 25 26 echo 1 > /proc/sys/net/ipv4/ip_forward 27 28 iptables -A FORWARD -i eth1 -p tcp -s 192.168.167.0/24 --dport 80 \ 29 -m state --state NEW -j ACCEPT 30 iptables -A FORWARD -i eth1 -p tcp -s 192.168.167.0/24 --dport 443 \ 31 -m state --state NEW -j ACCEPT 32 iptables -A FORWARD -i eth0 -p tcp -d 192.168.167.23 --dport 25 \ 33 -m state --state NEW -j ACCEPT 34 iptables -A FORWARD -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT 35 Using the script above answer the following questions: a. (3 marks) Explain, in your own words what a “gateway” machine is and what it is used for. b. (6 marks) Explain the general purpose of the firewall above. Your explanation should include a description of the networks the gateway machine is connected to, how it is connected, and what services are being allowed into and out of the gateway machine. Note: This is a “general description” do not make any explicit reference to the commands above. (marks 20) 4 c. For the following four groups of iptables commands, explain: • the overall effect of each group of commands, and • the purpose of each command within the group. (i) (2 marks) lines 12 and 18, (ii) (3 marks) lines 13 and 19. (iii) (3 marks) lines 21, 32 and 34. (iv) (3 marks) lines 23, 28, 30 and 34. Notes: a. The backslash character \ is a line continuation character in scripts. Question 2 As the system administrator you would like to SSH to a gateway machine (see Question 1) from off-site. Unfortunately that would mean opening the SSH port to the world—and currently that is against your organisation’s security policy. A friend tells you of the concepts of “port knocking” and “single packet authorisation” (SPA) — a way of temporarily opening a hole in a firewall to let an authorised connection through. This sounds exactly what you need so you study up on “port knocking” and “single packet authorisation” and experiment with the software “fwknop”. To convince your supervisor that the software “fwknop” should be installed to allow access to the gateway machine from the Internet you write a report on “port knocking” and SPA with examples of securely configuring and using “fwknop”. Your report will need to include the following: a. (3 marks) What is “port knocking” and what are the inherent flaws in using multiple packets? b. (3 marks) What is “single packet authorisation” and how this addresses the flaws of multi-packet “port knocking”. c. (3 marks) What is the data encapsulated in an SPA packet and fwknop in particular and how is it protected? d. (5 marks) The steps taken and the configuration file or files you needed to modify to open a secure temporary hole in a firewall using fwknop. Include an explanation in your own words of the purpose of every command used and every line in the configuration file or files. e. Using the course supplied virtual machine demonstrate how fwknop is used to create a hole in a firewall— 5 (i) (2 marks) Create a firewall on the virtual machine. Use the output from the command iptables -L -v to show that the virtual machine has been properly firewalled. (ii) (4 marks) Output showing that fwknop worked. A successful SSH session and the output from the command iptables -L -v to show the hole that fwknop has created in the firewall. Notes: a. The virtual machine must be used as the fwknop server machine— the machine with the firewall. The host machine or a second virtual machine can be used as the fwknop client — the external machine trying to connect. There is a Windows GUI version of the fwknop client that may be used (I have not used it myself). b. Read the discussion of single packet authorisation at http:// www.cipherdyne.com and the more detailed, earlier article at www.cypherdyne.org c. Read the tutorial on configuring and using fwknop at http:// www.cipherdyne.com. d. When configuring fwknop only discuss SPA using a HMAC and a Rijndael Symmetric Key. Also be aware, that there are some configuration options that add extra security and that they should be used and discussed. e. Do not explain how you installed either the fwknop-client or the fwknop-server software. f. The fwknop-client expects that the machine you are sending the SPA packet to has a FQDN—an entry for the virtual machine in the client machine’s “hosts” file will be necessary. Windows, macOS and Linux all have “hosts” files. The entry provides the FQDN of a machine independent of DNS. g. The simplest way to setup the server and the client is to run two VMs. One the server machine you are trying to connect to, and one the client machine that is going to send the knock. To run two VMs just requires two copies of the VM on the host machine. Both VMware player and Virtual Box can be started twice with each copy of the hypervisor running a different VM. http://www.cipherdyne.com/fwknop/docs/fwknop-tutorial.html#what-is-PK http://www.cipherdyne.com/ http://www.cipherdyne.com/ http://www.cipherdyne.com/ http://www.cypherdyne.org/fwknop/docs/SPA.html http://www.cipherdyne.com/fwknop/docs/fwknop-tutorial.html http://www.cipherdyne.com/ http://www.cipherdyne.com/ http://www.cipherdyne.com/ (marks 20) 6 Question 3 The Australian Government’s “Data Retention” legislation came into effect in April, 2017. This legislation requires ISPs to retain, for two years, the IPs of all remote systems accessed by their users (amongst other meta-data). The legislation created a lot of interest in VPNs as a way to ensure Internet privacy — hiding the sites visited. Most people have become aware of VPNs but have very little knowledge of the technical aspects of VPNs. In about a page, explain in your own words what a VPN is, what it is used for and how it works. As there are a number of VPN technologies, use the popular technology OpenVPN (see https://openvpn.net/ community-resources/) as the basis of your explanation. Your explanation should include: • (5 marks) In general terms what a VPN is, including a discussion of a point-to-point VPN, and a routed VPN, • (3 marks) examples of where a VPN may be useful explicitly explaining the problem they overcome and how they overcome it (e.g. Using a VPN to access Netflix USA: what is the problem and how is it overcome using a VPN?), • (7 marks) the technologies used in SSL/TLS VPNs such as OpenVPN