JARAMOGI OGINGA ODINGA UNIVERSITY OF SCIENCE AND TECHNOLOGY

SCHOOL OF INFORMATICS AND INNOVATIVE SYSTEMS

UNIVERSITY EXAMINATION FOR THE DEGREE OF BACHELOR SCIENCE IN

SECURITY AND FORENICS

4thYEAR 1st SEMESTER 2018/2019 ACADEMIC YEAR

MAIN CAMPUS

COURSE CODE: IIT 3411

COURSE TITLE: IT SECURITY ARCHITECTURE AND DESIGN

EXAM VENUE: STREAM:

DATE: EXAM SESSION:

TIME: 2.00 HOURS

INSTRUCTIONS:

1. Answer Question 1 (Compulsory) and ANY other two questions

2. Candidates are advised not to write on the question paper
 3. Candidates must hand in their answer booklets to the invigilator while in the
examination room

QUESTION ONE [30 MARKS]

a) What’s the one main drawback of network taps and protocol analyzers? (1 mark)

 Putting a network tap into place will disrupt the network being monitored

b) Explain two vulnerabilities associated with the File Transfer Protocol (FTP) ( 2 marks)

 Packet capture (Sniff) - When a file is sent using this protocol, the data, username, and
password are all shared in plain text, which means a hacker can access this information
with little to no effort using packet sniffers like Wireshark.
 Port Stealing - an attacker can observe the current port number allocated by the server
and "guess" the next one that will be used. The attacker can make a connection to this
port, thus denying another legitimate client the ability to make a transfer.

c) Explain what you understand by the two these two secure network technologies NAC and
PAT ( 2 marks)

Network Access Control – Is a method of bolstering the security of a proprietary network by

Examining the current state of a system or network device before it is allowed to connect to the
network. Any device that does not meet a specific set of criteria is only allowed to connect to a
“quarantine” network where the security deficiencies are corrected.

Port Address Translation – is an extension to NAT that permits multiple devices on a local area
network to be mapped to a single public IP address. Each packet is given the same IP address but
a different port number

d) Briefly explain three disadvantages of Hide-Mode Mapping in NAT (3marks)

 Cannot hide all clients behind a single IP address
 Does not work with some types of VPNs
 Cannot provide more than one service with a single IP address
e) State the three actions that an IDS can take when it receives a suspicious packet (3marks)
 Send an alarm message
 Drop the packet
  Stop and restart network traffic
f) When outlining penalties for violations what are the three critical things that a policy
should be emphasized? (3marks)
 Policy should state what to do and not to do
 Policy should also contain guidelines for the penalty process
 Establish flexible methods of punishment
g) In a Stateless Packet Filtering it allows or block packets based on information in the
protocol headers state the three features within the protocol header that it looks at before
making a decision whether to block or allow packets (3marks)
 Source address
 Destination address – internal IP address
 Port 80
h) State the at least four critical area where IDS network sensors should be placed to ensure
efficiency (4marks)
 Internet gateways
 Connections between one LAN and another
 Remote access server that receives dial-up connections from remote users
 Virtual private network (VPN) devices
i) What are the inherent Benefits of a security policy? (4marks)
 Provides a foundation for an organization’s overall security stance
 Gives employees guidelines on how to handle sensitive information
 Gives IT staff instructions on what defensive systems to configure
 Reduces the risk of legal liability
j) What are the goals associated with Proxy Servers (5marks)
 Speed up network communications
 Information is retrieved from proxy cache instead of the internet
 Provide security at the application layer
 Shield hosts on the internal network
 Control websites users are allowed to visit
QUESTION TWO [20 MARKS]
a) Explain the critical aspects that a secure VPN design should address (14marks)
1. Secure connectivity – a vpn should allow you to create a secure connection to another
network over the internet. VPNs can be used to access region restricted website, shield your
network traffic from prying eyes on the internet.
2. Availability – The VPN should quickly and easily recover from component failure, and
continue to provide service.
3. Authentication – VPNs ensure privacy by providing a private tunnel through the internet
for remote access to the network, a secure vpn must be enhanced with a reliable user
authentication mechanism, protecting endpoint of the vpn.
4. Secure Management – Network traffic in the private network should be easly controlled
by the administrator.
5. Reliability – Employees and remote offices should be able to connect to the VPN with no
trouble at any time, and
6. Scalability – the vpn should provide the same quality of connection when there is growth
of new user even when it is handling maximum simultaneous connections
7. Performance – The VPN should not obfuscate the network, increase network latency
which can directly impact network performance.
b) Several advantages such as No need to modify firewall settings to support VPN traffic,
Configuration scales more easily and can deal with congested servers are attributed to
Setting up a VPN parallel to your firewall inside the DMZ. Briefly explain three
disadvantages attributed to this scenario (6marks)
a. VPN Server is connected directly to the internet – Making it an ideal target for
attackers
b. If VPN server becomes compromised, attacker will have direct access to your
internal network
c. Cost of supporting a VPN increase with new servers – Setting a VPN parallel to a
firewall means having to purchase two servers which will prove to be costly.
QUESTION THREE [20 MARKS]
a) State and explain the various steps in an intrusion detection (14 marks)

1. Installing the IDS database - IDS uses the database to compare traffic detected by
sensors. There are two types; Anomaly-based systems, which requires a training period
of over one week and Misuse-based IDS which can use data base immediately
2. Gathering data – Network sensors gather data by reading packets. Sensors need to
be positioned where they can capture all packets
 3. Sending alert messages – Sensors capture packets, the IDS software compares
captured packets with information in its database, the IDS then sends alert messages if
captured packets match an attack signature or deviated from normal network behavior
4. The IDS responds – Command consoles receives alert messages and notifies the
administrator. The IDS can be configured to take actions when a suspicious packet is
received for instance; send an alarm message, drop the packet or stop and restart the
network traffic.
5. The administrator assesses damage – The administrator monitors alerts and
determines whether countermeasures are needed.
6. Following escalation procedures – these are set of actions to be followed if the
IDS detects a true positive. This should be spelled out in the company’s security policy
7. Logging and reviewing the event – The IDS events are stored in log files or
databases. The administrator should review logs to determine patterns of misuse

b) State Three ways for detecting a potential intrusion (3 marks)

 Detecting statistical anomalies

 Examine network traffic and look for well-known patterns of attack
 Use protocol analyzer technology

c) State at least three ways in which you can harden an operating system to resist attacks
(3 marks)
 Patch and upgrade
 Remove unnecessary programs
 Use Security templates for users

QUESTION FOUR [20 MARKS]

a) Briefly explain the advantages and disadvantages of IDS triggering mechanisms
(8marks)
Advantages
Anomaly detection trigger
 An attacker cannot anticipate what will trigger an alarm
 As new users and groups are created, IDS profiles can be changed to keep up with the
new arrangements
 It can detect new attacks since it does not rely on published signatures
 The system can effectively detect attacks from inside the network by employees or
attackers who have stolen employee accounts
Misuse detection
  This approach makes use of signatures of well-known attacks
 The IDS can begin working immediately after installation
 The IDS is easy to understand and is less difficult to configure than an anomaly-based
system.
 Each signature in the database is assigned a number and name so that the administrator
can identify attacks that need to set off an alarm
Disadvantages
Anomaly detection
 A lot of time is required to configure the IDS to use profiles of network users and groups
 As new users are created, profiles available to IDS must be updated to remain effective
 The definition of what constitutes “normal” traffic changes constantly; the IDS must be
reconfigured continually to keep up
 After installation, the IDS must be “trained” for days or weeks at a time to recognize
normal traffic
Misuse detection
 The database of signatures must be updated to maintain the effectiveness of the IDS
 New types of attacks might not be included in the database
 By making minor alterations to the attack, attackers can avoid matching one of the
signatures in the database
 Because a misuse-based system makes use of a database, considerable amount of disk
storage space might be needed
b) State the Seven Steps to Creating a Security Policy (7marks)
1. Call for the formation of a group that meets to formulate the security policy
2. Determine whether the overall approach to security should be restrictive or permissive
3. Identify the assets you need to protect
4. Determine what needs to be logged and/ or audited
5. List the security risks that need to be addressed
6. Define acceptable use of the internet, office computers, passwords, and other network
resources
7. Create the policy
c) Sate the three IP packet header fields used by packet filtering (3marks)

 IP Version
 Source IP Address
 Destination IP Address

d) What is a protocol analyzer? (2marks)

A protocol analyzer is a tool (hardware or software) used to capture and analyze signals and data
traffic over a communication channel. Such a channel varies from a local computer bus to a satellite
link, that provides a means of communication using a standard communication protocol

QUESTION FIVE [20 MARKS]

a) State and explain the various components that make up an intrusion detection system
(IDS) (10Marks)
1. Network Sensors – This can be hardware or software that monitors traffic in your
network and triggers alarms. Attacks detected include single-session attack, multiple
session attacks. Sensors should be placed at a common entry points e.g internet gateway.
2. Alert Systems – These are circumstances that cause an alert message to be sent
3. Command Console – Provides a graphical front-end interface to an IDS which enables
administrators to receive and analyze alert messages and manage log files.
4. Response system – IDS can be setup to take some countermeasures. This do not
substitute net administrators because administrators can make judgement and distinguish
false positive.
5. Database of attack signatures or behaviors – IDS don’t have the capability to make
judgement therefore they can make use of a source of information from comparing the
traffic they monitor.
b) State and briefly explain at least 5 advantages associated with subnetting as a way of
securing a network infrastructure (5 marks)
1. Decreased network traffic – Broadcasts to network hosts are generally limited to
individual subnets
2. Flexibility – The number of subnets and hosts can be customized for each organization
and easily changed as necessary
3. Improved troubleshooting – Tracing a problem on a subnet is faster and easier than on a
single large network
4. Improved utilization of addresses – Because networks can be subdivided it generally
reduces the number of wasted ip addresses
5. Minimal impact on external routers – Because only routers within the organization are
concerned with routing between subnets, routers outside the organization do not have to
be updated to reflect changes
6. Reflection of physical network – hosts can be grouped into subnets that more accurately
reflect the way they are organized in the physical network
c) Briefly explain at least 5 convergence vulnerabilities especially in relation to VOIP

(5 marks)
 Operating Systems – Softphones that operate on standard pcs are vulnerable to
operating system attacks
 VOIP protocols – Many of the common VOIP protocols do not provide adequate call-
party authentication, end-to-end integrity protection, and confidentiality measures
 Lack of encryption – Voice protocols do not encrypt call-signaling and voice streams,
so identities, credentials, and phone numbers of callers can be captured using protocol
analyzers
 Network acknowledgment – attackers can flood VoIP targets with DoS type attacks
that can degrade service, force calls to be dropped prematurely, and render certain
VoIP equipment incapable of processing calls
 Spam – Spam over internet telephony can carry unsolicited sales calls and other
nuisance messages and programs can download hidden malware to softphones