Problem solving and/or short essays

Question 1. An early attempt to force users to use less-predictable passwords involved computer-supplied passwords. The passwords were eight characters long, taken fromthe character set consisting of lowercase letters and digits. They were created by apseudorandom number generator with 215 possible starting values. Using the technology of the day, the time required to search through all character strings of length 8from a 36-character alphabet was 112 years. Unfortunately, this is not a true reflection of the actual security of the system today. Why?

Explore and explain the problem in detail.

Question 2. Consider user accounts on a system with a Web server configured to provide access touser Web areas. In general, it uses a standard directory name, such as "public_html," in a user's home directory. This acts as their user Web area if it exists. However, toallow the Web server to access the pages in this directory, it must have at least search(execute) access to the user's home directory, read/execute access to the Web directory, and read access to any webpages in it. Consider the interaction of this requirement with the cases you discussed for the preceding problem. What are the consequences of this requirement? Note that a Web server typically executes as a specialuser and in a group that is not shared with most users on the system.

Are there somecircumstances when running such a Web service is simply not appropriate? Explain.

Question 3. A decentralized NIDS is operating with two nodes in the network, monitoring anomalous inflows of traffic. In addition, a central node is present to generate an alarm signal upon receiving input signals from the two distributed nodes. The signatures oftraffic inflow into the two IDS nodes follow one of four patterns: P1, P2, P3, or P4. Thethreat levels are classified by the central node based upon the observed traffic by the two NIDS at a given time, as outlinedin the following table.

If at least one distributed node generates an alarm signal P3at a given time instance, what is the probability that the observed traffic in the network will be classified atthreat level "Medium"?

Question 4. Assume we have an internal Webserver, used only for testing purposes, at IP address 5.6.7.8on our internal corporate network. The packet filter is situated at a chokepointbetween our internal network and the rest of the Internet.

Can such a packet filterblock all attempts by outside hosts to initiate a direct TCP connection to this internal Webserver? If yes, show a packet-filtering ruleset that provides this functionality; if no,explain why a (stateless) packet filter cannot do it.

Note: A ruleset is a list of rules, and the first matching rule determines the actiontaken. A rule is an action followed by a specification of which packets match, for example, droptcp 1.2.3.4:* -> *:25.

Question 5. The BLP model imposes the ss-property and the *-property on every element of b, but does not explicitly state that every entry in M must satisfy the ss-property and the*-property.

a. Explain why it is not strictly necessary to impose the two properties on M.
b. In practice, would you expect a secure design or implementation to impose the two properties on M? Explain.

Question 6. Consider the following threats to Web security, and describe how each is countered bya particular feature of SSL.

a. Man-in-the-middle attack: An attacker interposes during key exchange, acting asthe client to the server and as the server to the client.

b. Password sniffing: Passwords in HTTP or other application traffic are "eavesdropped."

c. IP spoofing: Uses forged IP addresses to fool a host into accepting bogus data.

d. IP hijacking: An active, authenticated connection between two hosts is disrupted, so the attacker can take the place of one of the hosts.

e. SYN flooding: An attacker sends TCP SYN messages to request a connectionbut does not respond to the final message to establish the connection fully. Theattacked TCP module typically leaves the "half-open connection" around for afew minutes. Repeated SYN messages can clog the TCP module.

Question 7. Sensors, analyzers, and user interfaces are three important components of any intrusion detection system. Explain in detail what each component does, what approaches IDS typically use to analyze sensor data, what sensor data can be used for host-based intrusion detection, and what sensor data can be used for network-based intrusion detection.

Question 8. Firewalls play very important roles in computer and network security. Explore and explain in detail the functionalities of different types of firewalls, including those installed on your home computers and home networks (on the router you may have), as well as the protocols used on these firewalls.