====================================================================== CMSC 491N/691N Network Security Prof. Krishna Sivalingam Spring 2005 Quiz 3 Solutions ====================================================================== 1. In SSL and TLS, why is there a separate "Change Cipher Spec" protocol, rather than having a message as part of the Handshake protocol? The change cipher spec protocol exists to signal transitions in ciphering strategies, and can be sent independent of the complete handshake protocol exchange. 2. Explain how SSL/TLS can handle a replay attack where earlier SSL handshake messages are replayed. This is prevented by the use of the nonces in the handshake messages. 3. What are the significant practical challenges in a rule-based IDS and statistical IDS? For rule-based systems, the challenges are: identifying potential rules, updating/modifying the rules to keep track with newly exposed weaknesses, new attacks, etc.; For statistical systems, the determination of appropriate statistical parameters to measure, development of acceptable parameter values, etc. 4. What is the "iptables" software used for? netfilter and iptables enable packet filtering, network address [and port] translation (NA[P]T) and other packet mangling. iptables provides a generic table structure for the definition of rulesets. 5. How does a stateful firewall handle UDP packets? Since there is no notion of a UDP session (and hence UDP state), stateful firewalls maintain pseudo state for UDP packets. The firewall can keep track of the source/dest. address/ports and keep the status alive for some period of time, after which it removes the entries. 6. Explain what is accomplished by each of the following ACLs: (i) access-list 11 permit 192.168.100.0 0.0.0.255 [When applied to a border router's egress port] -> Allow all packets from the hosts 192.168.100.0 - 192.168.100.255 to SEND packet to the outside network (ii) access-list 11 deny 192.168.100.7 0.0.0.0 [When applied to a border router's egress port] -> DENY host 192.168.100.7 from SENDing packet to the outside network (iii) access-list 11 deny 172.16.0.0 0.0.255.255 [When applied to a border router's ingress port] -> Denies all packets from hosts 172.16.*.* (iv) access-list 111 deny icmp any any echo-request -> I did not note in the question that this also applied to incoming traffic. The above rule does not allow any incoming echo-request packet to enter the network (this is what ping uses). 7. Define the IP Traceback problem. Define the "Packet Marking" concept. Discuss its advantages and advantages. Refer to the slide/notes. 8. How are initial keys established in TKIP and CCMP? How many keys are required for the crypto operation for the two protocols? The initial keys are established using the IEEE 802.1X protocol, assuming that there exists an Authenatication Server that verifies the username/password and generates the initial session keys from which other keys are derived. For TKIP: There are 2 keys needed: a 128-bit temporal key used in key mixing to determine the per-packet WEP key and IV value; and a 64-bit Micheal MIC Key. For CCMP: There is a 128-bit AES key that is used for both integrity and encryption. ======================================================================