At the Network Perimeter: Firewall Placement and Wireless Network Security

Final Individual Assessment

Unit Details	Name	Computer Network Security
	Code	HI6044
	Year, Trimester	Trimester 2, 2024

Assessment Details	Name	Final Individual Assessment
	Due Date & Time	10 October, 2024 10.59 pm - Gold Coast students 11:59 pm - Melbourne & Sydney students

Student Details	Student Number
	First Name
	Family Name

Submission Declaration	Integrity Declaration	I have read and understand academic integrity policies and practices and my assessment does not violate these.
	Full Name
	Submission Date

ALL SUBMISSIONS MUST INCLUDE YOUR STUDENT DETAILS AND SUBMISSION DECLARATION.

IF THESE DETAILS ARE NOT COMPLETED YOU RISK BEING PENALISED

Instructions

Academic Integrity Information	Holmes Institute is committed to ensuring and upholding academic integrity. All assessment must comply with academic integrity guidelines. Important academic integrity breaches include plagiarism, collusion, copying, impersonation, contract cheating, data fabrication and falsification. Please learn about academic integrity and consult your teachers with any questions. Violating academic integrity is serious and punishable by penalties that range from deduction of marks, failure of the assessment task or unit involved, suspension of course enrolment, or cancellation of course enrolment.
Format & submission instructions	All answers must be entered in the answer boxes provided after each question. Your assessment must be in MS Word format only. You must name your file with the Unit Code and Student ID example: HI6044 – EMV5678 Check that you submit the correct document as special consideration is not granted if you make a mistake. Your student ID & name must be entered on the first page. Submission declaration must be completed on the first page. All work must be submitted on Blackboard by the due date and time. Late submissions are not accepted. You have two attempts to submit. The final submission will be marked only.
Penalties	Reference sources must be cited in the text of the report, and listed appropriately at the end in a reference list using Holmes Institute Adapted Harvard Referencing. Penalties are associated with incorrect citation and referencing. For all other penalties, please refer to the Final Assessment Instructions section on Blackboard.

All responses must be entered in the answer boxes at the end of each question

Question 1 (10 marks)

Network Firewall Design

Below is a diagram of a simple internal network connected to the internet:

Required:

1. Based on the network shown, explain how a firewall would be implemented to protect the internal network. (2.5 marks)

ANSWER (box will enlarge as you enter your response)

At the Network Perimeter: The firewall should be located between the internal network, where the switch and wireless router are located and the outside world, or the internet. In this case it can be placed between the router and the connection to the internet serviceprovider (ISP). This placement makes sure that all the packets of data that come into and out of the internet is subjected to the fire walls before getting to any other device inside the network(Alsaqour et al., 2021, p.21(4)).

2. What type of firewall, stateful inspection or packet filtering would you recommend, and why? (2.5 marks)
   

ANSWER:

Recommended is the stateful firewall. It will actively scan the current connections status and guarantee that only responses to internal requests will be taken back into the network. Packet filtering should also be enabled for either allowing or transparently blocking certain services by means of IP addresses and/or port numbers and/or protocols.

1)Stateful Inspection:-

Tracks Active Connections: It checks the probes of the subsequent livelconnections (for instance, interaction of the device with the internet)

Context-Aware Filtering: Ensures that any incoming packets belong to already

existing, genuine continuous outgoing request.

Enhanced Security: Coupled with the characteristics of traffic, SYN cookies offer better security because unwanted traffic that does not correspond to any connection is rejected(Citra et al., 2023, pp.299-306(2)).

Packet filtering:- •

Examines Individual Packets: Differentiates traffic by various criteria such as IP and protocol address of the connection, but no determining of connection status.

Less Context: It does not verify whether the packet is associated with an already established connection, and is thus less robust against spoofing kind of attacks.

Summary :- Stateful Inspection is more secure because it understands the context of traffic and blocks unauthorized packets, while packet filtering is simpler but less effective in modern network security.

3. Describe the rules that should be applied to the firewall to secure both incoming and outgoing traffic. (5 marks)
   

ANSWER:

Firewall Rules for Incoming and Outgoing Traffic.

1)Inbound Traffic: Block all incoming connectionsby default to prevent from unauthorizied access.

a)Allow Exceptions: Only allow necessary services such as HTTP (port 80), HTTPS (port 443), and VPN ports if remote access is required. This reduces the exposure of the internal network to external threats.

2)Outbound Traffic: Allow trusted internal hosts to access external service such as browsing the web or sending emails.

b)Restrict Certain Services

Do not allow traffic to or from specific sites described as malware.

Do not allow traffic from unauthorized sites for outbound services like FTP or shell only in specific internal trusted servers

3)Network Address Translation (NAT): Set NAT on the router so that internal addresses, (e.g. 192.168.10.20) cannot be viewed externally. The firewall is also used together with NAT to offer extra security protection to the computer system.

4)Intrusion Detection/Prevention Systems (IDS/IPS): Extend firewall services by incorporating IDS/IPS that would identify/prevent intrusions and vandalism including brute force attack or attempt to login to unauthorized account(Kailanya et al., 2022, pp.116-123(3)).

Question 2 (10 marks)

Wireless Network Security

Consider the wireless network diagram below, which includes access points, clients, and the internet gateway:

Required:

1. Explain in detail the security risks associated with this wireless network architecture. (2.5 marks)

ANSWER:

1)Risk of Unencrypted Communications.

Risks highlight the importance of implementing strong encryption (e.g., WPA3) and securing communication channels in wireless networks.

a)Vulnerability to Interception:

wireless transmissions, lacking an encrypted key, can be accessed by attackers, in eavesdropping ordatatheft.
b)Sensitive Data Exposure:

Unencrypted traffic may expose sensitive information, such as login credentials, to unauthorized parties.

2)Man-in-the-Middle (MitM) Attacks

a)Interception and Manipulation: Attackers can easily intercept communications between the wireless clients and access points and can inject or modify data that is within the rage of transmission.

b) Data Integrity and Privacy Risks: This results into erosion of data quality, privacy and system vulnerability to breakons.

3)Weak Authentication

a)Easily Exploitable Credentials :weak passwords or outdated authentication protoclos can easily be compromised, allowing unauthorized access to the network.

B)Brute Force Attacks: Brute Force Attacks: Attackers may carry out multiple attempts with aims to gain passwords then accessing secret resources in the network(Fang et al., 2020, pp.58-64(1)).

2. Describe at least two security measures that should be implemented to secure wireless communications. (2.5 marks)
   

ANSWER:

1) Use Strong Encryption:

WPA3: Implement the latest Wi-Fi Protected Access 3 (WPA3) protocol, which offers enhanced security features over previous standards.

Encryption Protocols: Ensure that all data transmitted over the wireless network is encrypted to prevent eavesdropping.

2) MAC Address Filtering: Configure the access point to allow only devices with approved MAC addresses to connect(Angueira et al., 2022, pp.810-838(2)).

3. Compare the implementation of WPA3 to improve security compared to WPA2 in this setup. (5 marks)
   

ANSWER

1)Security Protocols:

WPA2:Utilizes AES technology for encryption while the mode of authentication it supports is the Pre-Sharing Key method of authentication.

Uses the 4-way handshake process for secure key management; this process has been found to be vulnerable to utilization of offline dictionary attacks where the password is poor.

WPA3:

Also use Advanced Encryption Standard (AES) for encryption but assure higher level of security with the help of Simultaneous Authentication of Equals (SAE) instead of Pre-Shared Key (PSK).

SAE reduces offline attack by making it very difficult for an attacker who has intercepted the handshake to derive the password from it.

2. Improved Encryption:

WPA2:

Has a back end encryption of 128-bit encryption; considered strong but vulnerable to Dickson, Lee, and Tak Choi’s brute force attack if user chose an easily guessable password.

WPA3: Lacks the options for the stronger encryption standard whereas it offers 128, 192 bit Securities, and it enhance high level of security standard against future threats and provide better level of data confidentiality.

Summary :-All things considered, WPA3 increases wireless security compared with WPA2, primarily because of improved encryption standard, increased protection level against various forms of attack, especially dictionary attack, forward secrecy, and optional network protection for open networks. Although WPA2 is still widely used to establish wireless connections, companies have to shift to WPA3 for providing reliable security for up-to-date networks against emerging threats of cyberattacks. About these enhancements, it can be recommended that organizations should migrate from WPAS1/2 to WPA3(Al-Mejibli et al., 2020, pp.32-39(1)).

Question 3 (10 marks)

Explain the concept of zero trust architecture in network security and its advantages in modern network infrastructures.

ANSWER

Zero Trust Architecture (ZTA) is an architecture for securing workloads and data that never trusts and always verify. This concept supposes that threats can be internal and external and because of that no user, device or application can be trusted. Zero Trust, on the other hand, assumes that any user and device inside the network is potential adversary, so every access request must be authenticated and authorized on an ongoing basis, no matter where the user is located

Identity and Access Management (IAM): Using proper authentication, like high-pass authentication, to ensure that only right persons get access to certain resources.
Micro-Segmentation: The ability to partition the network in order to restrict, or prevent the spread of the virus if the network has been compromised in some way. Access control must be segment wise and security policies have to be unique to that segment.
Least Privilege Access

Ensuring users have only the minimum access necessary to perform their tasks, reducing the riskof unauthorized access to sensitive data or system.

Advantages of Zero Trust Architecture in Modern Network Infrastructures:

Enhanced Security Posture: Through assumption, Zero Trust reduces the threats posed by insiders and unauthorized access that makes it difficult for the attacker to penetrate the system.

Data Protection: Using techniques such as user authorization and accreditation and continuous authentication, an organization can effectively minimize the risk, of unauthorized access and use of the information, by making it possible for only the approves persons to have access to such crucial information.

Improved Incident Response: The frequent checks mean that threats are detected early and; analysis leads to quick identification to the threats. Details are highlighted and need for answering threats are recognized and executed as soon as possible(Sarkar et al., 2020, p.11213(2)).

Question 4 (10 marks)

Analyse the security challenges in wireless networks and propose strategies for securing wireless communications.

ANSWER

Security risks that arise from wireless networks are unique because data are transmitted over the air and the following risks are associated with wireless networks. Some of the primary security challenges include:

Eavesdropping:

Challenge: Wireless signals can be easily obtained by anyone within the range of the signal and as a result the attacker can obtain password and personal details.

Unauthorized Access:

Challenge: Lack of vibrant and efficient authentication or poorly protected networks give the intruders a chance to compromise on the networks or even misuse the available resources.

Rogue Access Points:

Challenge: Hackers can create fake connections that look like legal ones with the intent of hooking the victims. As such, they are able to omit data and launch an attack.

Man-in-the-Middle Attacks (MitM)

Challenge: In identification, an attacker may eavesdrop in the communication where one party consists of two individuals: the attacker becomes capable of gaining access, change or even introduce a malicious message to that being transmitted.

Denial of Service (DoS) Attacks:

Challenge: They are able to launch a storm of requests to one or several wireless networks and legitimate users cannot connect to the given network or use the services of the latter.

Insider Threats:

Challenge: Wireless security can be intentionally or accidentally violated by employees or other users with authorization either owing to ill motives or gross carelessness.

Strategies for Securing Wireless Communications

To address these challenges and enhance the security of wireless networks, organizations can implement the following strategies:

Use Strong Encryption:

Implementation of WPA3: Storing user data and passwords through the latest Wi-Fi Protected Access 3 (WPA3) simplifies passcode encryption and strengthens protection over the outdated WPA2.

Encryption for Open Networks: Applying break the agents of Opportunistic Wireless Encryption enables security in open networks so as to secure data from other unauthorized individuals or entities.

Strong Authentication Mechanisms:

Multi-Factor Authentication (MFA): This way MFA increases the security layer when it comes to entering unauthorized access since there are several forms of identification that one has to produce.

Secure Password Policies: As for the risks of unauthorized access passwords must be protected with the use of new, highly complex policies and changing them periodically contributes to the decrease of such risks.

Question 5 (10 marks)

How does Transport Layer Security (TLS) work in securing network connections?

ANSWER

Transport Layer Security (TLS) can be described as a cryptographic protocol used for the establishments of secure communication over a computer network. It is mainly used to protect information exchanged between the client and server applications, such as web surfing, using e-mail, and using an instant messenger.

1. Handshake Process:

TLS handshake is the first connection initiation between the client and server before proceeding with securely transmitted data

Client Hello:

Client Hello message consisting the TLS version the client is supporting, a random number generated by the client and Cipher Suits List are sent by the client to the server.

Server Hello:

Next, the server send the “Server Hello” message indicating the chosen TLS version, the cipher suite and generating its own random number.

Server Certificate:

Both the server and the client exchange a digital certificate where the server sends a copy of the certificate to the client. This carries the server’s public key and is under a CA, so that the client may authenticate the server.

Server Key Exchange (optional): If required (for example when the certain cipher suites have been selected) the server transmits the additional information about the key exchange

2)SessionEncryption:

SymmetricEncryption:

Data transmission in TLS is done through the symmetric encryption method. This means that the same key is used for both making and breaking of the coded message instead of a two-key system. However symmetric key encryption is more efficient for most of the bulk data transfer.

DataIntegrity:

MAC is adopted under TLS to ensure the reliability of the transmitted data. This enable the recipient to confirm that the data that has been sent and received has not in anyway been changed(Li et al., 2020, pp.6828-6841(3)).

References

1. [Alsaqour, R., Motmi, A. and Abdelhaq, M., 2021. A systematic study of network firewall and its implementation. International Journal of Computer Science & Network Security, 21(4), https://koreascience.kr/article/JAKO202121055727021.page

2. [Citra, R. and Sutabri, T., 2023. Analisa Pengembangan Keamanan Menggunakan Stateful Inspection dan Metode Semi Deskriptif. Digital Transformation Technology, 3(1), pp.299-306. https://jurnal.itscience.org/index.php/digitech/article/view/2766

3. Al-Mejibli, I.S. and Alharbe, N.R., 2020. Analyzing and evaluating the security standards in wireless network: A review study. Iraqi Journal for Computers and Informatics, 46(1), pp.32-39. https://www.iasj.net/iasj/download/f85b37f7f94b438b

4. Angueira, P., Val, I., Montalban, J., Seijo, Ó., Iradier, E., Fontaneda, P.S., Fanari, L. and Arriola, A., 2022. A survey of physical layer techniques for secure wireless communications in industry. IEEE Communications Surveys & Tutorials, 24(2), pp.810-838. https://ieeexplore.ieee.org/abstract/document/9702524/

5. Fang, D. and Qian, Y., 2020. 5G wireless security and privacy: Architecture and flexible mechanisms. IEEE vehicular technology magazine, 15(2), pp.58-64. https://ieeexplore.ieee.org/abstract/document/9050544/

6. Kailanya, E., Mwadulo, M. and Omamo, A., 2022. Dynamic deep stateful firewall packet analysis model. African Journal of Science, Technology and Social Sciences, 1(2), pp.116-123. http://41.89.229.52/index.php/AJSTSS/article/download/20/118

7. Li, P., Su, J. and Wang, X., 2020. iTLS: Lightweight transport-layer security protocol for IoT with minimal latency and perfect forward secrecy. IEEE Internet of Things Journal, 7(8), pp.6828-6841. https://ieeexplore.ieee.org/abstract/document/9067843/

8. Sarkar, S., Choudhary, G., Shandilya, S.K., Hussain, A. and Kim, H., 2022. Security of zero trust networks in cloud computing: A comparative review. Sustainability, 14(18), p.11213. https://www.mdpi.com/2071-1050/14/18/1121

END OF FINAL INDIVIDUAL ASSESSMENT