CSEC 640 CSEC640 Final Exam Answers (UMUC)
1. [Part A 8 points, Part B 8 points, 16 points total, TCP/IP]
Part A. Unlike IP fragmentation (which can be done by intermediate devices), IP reassembly can be done only at the destination. What problems do you see if IP reassembly is attempted in intermediate devices such as routers? [8 points]
Part B. Let’s assume that Host A (receiver) receives a TCP segment from Host B (sender) with an out-of-order sequence number that is higher than expected as shown in the diagram. Then, what do Host A (receiver) and host B (sender) do? [8 points]
2. [8 points total] Describe or propose a way to detect ARP spoofing attack. What could be a possible weakness in your proposed method? Please do not discuss any prevention method (e.g., port security is an example of a prevention method).
3. [8 points total, Wireless LAN Security-WEP] What is the main difference between the FMS attack and Chopchop attack?
4. [10 points total] A large enterprise decides to use symmetric encryption to protect routing update messages between its own routers (i.e. entire routing update messages are encrypted by a strong shared symmetric key). They think this will prevent routing table modification attacks. Do you think their decision is appropriate? Do you see any problems or issues with their decision?
5. [15 points total] An ACK scan does not provide information about whether a target machine’s ports are open or closed, but rather whether or not access to those ports is being blocked by a firewall. If there is no response or an ICMP “destination unreachable” packet is received as a response, then the port is blocked by a firewall. If the scanned port replies with a RST packet, that means the ACK packet reached its intended host. So the target port is not being filtered by a firewall. Note, however, even though ICMP went through, the port itself may be open or closed.Describe at least 2 rules that could be used by Snort to detect an ACK scan. Clearly express your assumptions and explain your rules. Do you think Bro can do a better job of detecting an ACK scan?
6. [10 points total] Explain the main difference between SQL injection and XSS attacks.
7. [Part A 15 points, Part B 9 points, 24 points total] As shown in the above diagram, Kevin, the system admin, installed a text-message sender and a text-message receiver in a Multi-Level-Secure (MLS) environment. In the MLS environment, two security levels exist (i.e., Unclassified (Low) and Classified (High) levels). His goal is to enforce the Bell-LaPadula (BLP) access control model in the network. Essentially, the BLP model defines two mandatory access control rules:
Part B) Describe a way for the Trojan to covertly transmit 4 characters (e.g., A, B, C and D) to the adversary without being detected or blocked by your rules and access control lists provided in Part A. [8 points]
8. [9 points total, IPsec VPN] What do you think are the advantages & disadvantages of using both AH and ESP protocols on the same end to end IPsec connection (transport mode)? In addition, it is recommended that the ESP protocol should be performed before the AH protocol. Why is this approach recommended rather than authentication (AH) before encryption (ESP)?