Vous êtes sur la page 1sur 5



Postgraduate Examinations 2017

Network Security and Cryptographic Principles

Time allowed: TWO hours

Candidates are permitted to bring into the examination room:

Calculator – Casio FX-83GT PLUS or Casio FX-85GT PLUS only

The following items are provided:

Graph paper (available on the invigilator’s desk)

The paper consists of FOUR questions.

Candidates must answer ALL questions

Questions are of equal weight.

The percentages shown in brackets provide an indication of the proportion of the total marks for
the PAPER which will be allocated.

Please do not leave your seat unless you are given permission by an invigilator.
Do not communicate in any way with any other candidate in the examination room.
Do not open the question paper until told to do so.
All answers must be written in the answer book(s) provided.
All rough work must be written in the answer book(s) provided. A line should be drawn through
any rough work to indicate to the examiner that it is not part of the work to be marked.
At the end of the examination, remain seated until your answer book(s) have been collected and
you have been told you may leave.
CE823-7-SP 2

Question 1

A new company, that does most of its business through online sales, has asked you to design the
company network architecture with regard to security features. The company network has the
following requirements:

• the network is to reside in a single campus

• a web server provides the online sales presence

• customer records including sales and credit-card information must be securely stored

• 1000 client workstations are used by company workers in the campus and require general
Internet browsing as well as dealing with customer records

• it must provide internal and external email communication

• it should have the ability to share files using shared file storage

• it should provide general network support services such as DNS.

(a) Design a network architecture that meets the requirements above. Your answer should not [17%]
give details about servers or firewalls other than to describe their connectivity and purpose
to support the secure operation of the network.

The company is concerned that a secure architecture alone is not enough to protect the
online-shop from external attack. The online-shop has been supplied, by a reputable provider, as
a standard web-application that is modified for each company to incorporate the company stock
list, logos and other company specific information. For business reasons, the company does not
want to employ software developers to create or test security in the web-application itself, but
wants to ensure the secure operation of the online-shop using an off-the-shelf solution.

(b) Propose a solution to add additional protection for the online shop web-application and [8%]
briefly describe how it operates.
3 CE823-7-SP

Question 2

You are to write firewall rules for an organization’s external firewall. The firewall has only two
interfaces: the external interface connects to the Internet, the internal interface connects to the
internal network of the organization that is to be protected. The firewall is a stateless packet
filtering firewall. The company’s internal network consists of:

• a single IP subnet

• the internal router interface address using

• staff workstations using addresses

• EmailServer, a SMTP server using address and listening on port 25

• FileServer, a network attached storage (NAS) using address, listening on

TCP port 445

The firewall policy requires:

• staff workstations should be able to access HTTP servers in the Internet but no other
Internet services

• home workers can access FileServer from their home Internet connection

• EmailServer should be able to send and receive email

• all other traffic is to be blocked.

(a) Design the firewall rules that meet the firewall policy above. Your answer does not need to [18%]
be in the format of any particular firewall system but should describe the required firewall
rule parameters. Every firewall rule must have a description that explains the fields.

After specifying the firewall rules, you inform the company that the FileServer NAS is not
secure over the Internet as it using a simple password hash for security and is also a frequent
source of vulnerabilities due to infrequent software updates.

(b) Briefly propose a solution that allows the home workers to access FileServer in a secure [7%]
manner and explain why it is secure.
CE823-7-SP 4

Question 3

The connection to a company’s database server is to be protected using the advanced encryption
standard (AES). A large number of clients use the database and they authenticate with the
database server through a secure password exchange mechanism. The designer of the system is
aware that there is a problem with key-distribution using a symmetric cipher such as AES.

(a) Propose a suitable key-distribution mechanism. Describe how it operates and how it is used [9%]
by AES.

(b) Explain why it is vital that, in addition to the client authentication, the server is properly [6%]

(c) Given that there are a large number of clients required to connect to the database server, [10%]
propose and briefly describe a suitable mechanism to authenticate the server.
5 CE823-7-SP

Question 4

(a) Kerberos consists of a number of different components, state and briefly describe these [6%]


1: IDc

2: E(Kc , KS )

3: TT GT = E(KT GS , IDc |Ac |∆v |Ks )

Figure 1

The first three messages in a Kerberos v4 communication are shown in Figure 1 with
abbreviations for the common terms. The diagram omits some of the other Kerberos
components that are not involved in these first three messages.

(b) Name and briefly describe the fields in each of the messages shown in Figure 1 with regard [11%]
to the components you described in Part (a) and the security features that they perform.

(c) Describe an attack that is possible against the Kerberos messages you have described in Part [8%]
(b) and propose a solution against this attack. You should describe any security limitations
to the solution that you propose.