Homework 3
Handed out: March
1, 2007
Due back: March
7th, 11:59pm, 2007(by submission timestamp).
Submission: Electronic
upload submission (see instruction online at the course webpage)
Notes: 1. To be done individually.
2.
Please do not give a simple yes/no as results to some of the questions. Briefly explain why and how you obtain that
result.
- Suppose
filtering routers are arranged as in the Figure below; the primary
firewall is R1. Explain how to configure R1 and R2 so that outsiders can
Telnet to net 2 but not to hosts on net 1.
Be careful about “leapfrogging” breakins
to net 1.
- Consider
the following packet-filter firewalls. Suppose that Alice wants to disallow access to her
network 222.22.0.0/16 from the public Internet (rule R3 in the Table 8.4
below). Alice is again
collaborating with Bob and his colleagues, who are at a university, and so
Alice wants to let users from Bob’s university (whose network address is
111.11/16) access a specific subnet, 222.22.22/24, within her company’s
network (rule R1 below). Alice knows that
Trudy, a well-known hacker, is in Bob’s university and that Trudy’s
subnet, 111.11.11/24, is an insecure hacker haven. So Alice
doesn’t want any traffic from 111.11.11/24 entering anywhere into her
network (rule R2). Alice’s
packet-filtering rules are summarized as below.
Fill in the table below for the desired
actions, and actions taken for this scenario under ordering R1, R2 and R3, and
under ordering R2, R1 and R3.
- Timing
attack problem. Modify the following
password checking code discussed in the lectures so that it is not
vulnerable to timing attacks.
int password-check( char *inp,
char *pwd) {
if (strlen(inp) != strlen(pwd)) return 0;
for( i=0; i < strlen(pwd); ++i)
if ( *inp[i] != *pwd[i] )
return
0;
return 1;
}
- Describe
each of the following three kinds of access control mechanisms in terms of
(a) ease of determining authorized access during execution, (b) ease of
adding access to all objects for a new subject, (c) ease of deleting
access to an object by a subject, and (d) ease of creating a new object to
which all subjects by default have access.
Please try to keep your answer short to a few key points.
- Per-object
access control list
- Access
control matrix
- Capability
- Represent
the ownerships and permissions shown in this UNIX directory listing as a access control matrix. Note: asw
is a member of two groups: users and devel; gmw is a member of only
“users” group. Treat each of the two users and two groups as a domain, so
the matrix has four rows (one per domain) and four columns (one per file).
-rw- r- -
r- - 2 gmw users
-rwxr-x r-x 1 asw devel
-rw-rw- - - - 1 asw users
-rw- r- -
- - - 1 asw devel
- Stallings
Problem 16.4
- Whether
IPSec will work with Network Address Translation
(NAT) depends on which mode of IPSec and NAT we
use. Suppose that we use true NAT, where only IP addresses are translated
(without port translation). Will IPSec and NAT work in each of the following cases? Briefly explain why or why not. For example, if it works, please show
how the end host, NAT and any other related devices are connected.
- IPSec using AH transport mode
- IPSec using AH tunnel mode
- IPSec using ESP transport mode
- IPSec using ESP tunnel mode
Note:
a) The TCP/UDP checksum includes
the TCP/UDP header, the TCP/UDP payload, and the three fields from the IP
header – protocol number, source IP address, and destination IP address.
b) The discussion in KPS book Ch
17.2.1 may not be entirely correct.