Course is networking

Transcribed Image Text:

Page 2 was alerted by the host firewall by a generic alert which might suggest an abnormally high packet rate. A packet capture at the network interface of the Development machine was saved in the file: A-01-packet_capture_Dev.pcap Another packet trace from the DMZ monitor was also secured, and was saved in the file: A-02-packet_capture_DMZ.pcap Both files can be downloaded from the VLE. Questions You have been asked to carry out a technical investigation (parts i and ii below) and provide a short management summary, accessible to a non-expert, which describes the nature of the attack and how it was carried out (in part iii below). You need to first develop a set of key questions (in part i) to guide the further analysis of the attack (in part ii). You are required to: (i) 1 Analyse the content of the file A-01-packet_capture_Dev.pcap for any evidence relating to the incident, and develop a set of key questions to guide the subsequent examination. Analyse the content of the file A-02-packet_capture_DMZ.pcap and (ii) use your results to supplement the results from (i), and resolve the questions developed during the analysis of part (i). (iii) Provide a short management summary which is accessible to a non-expert which describes the nature of the attack and how it was carried out. You should ensure that your summary is supported by citing evidence identified in (i) and (ii). Page Limit You can use up to 5 sides of A4 in total for this question, of which your answer to part (iii) must be no more than 2 sides of A4. These limits do include any visual aids, e.g. tables, figures. Specific Guidance Your analysis in parts (i) and (ii) are intended for experts. Your answers in these two parts may be in the form of expanded notes, provided your documentation is sufficiently detailed for another Page 3

Transcribed Image Text:

Question 1: Network Analysis (44 Marks) Background The system shown in Figure 1 belongs to a company known as DevCo. It provides a public Internet-facing website hosted in the machine 'Web Server'. The website content is developed and managed on the 'Website Development & Management Machine'. The purpose of the website is to advertise a small software development business, which is carried out in-house on the software 'Development' machine. The other computers in this system (W7 and the wireless notebooks) are used for office functions. The file server and printer provide shared services across the system, and the wireless network is WEP encrypted. Internet File Server 192.168.0.244 00:30:1B:B0:84:C4 Router (Shuttle) 192.168.0.1 Printer 00:0F:B5:B2:AB:D4 (Netgear) 192.168.0.30 Switch 00:26:AB:69:21:1E 192.168.0.241 (Seiko Epson) 00:14:BF:60:15:06 (Cisco-Linksys) WiFi Access Point () DMZ 192.168.0.245 00:06:25:49:C2:A2 W7 Monitoring Node (Linksys) 192.168.0.34 00:30:1B:BO:95:03 (Shuttle) Web Server 192.168.0.5 Two Registered Wireless Notebooks Development 00:30:1B:B6:23:48 192.168.0.27 (Shuttle) 80:EE:73:06:01:86 (Shuttle) Website Development & Management Machine 192.168.0.28 192.168.0.29 7C:4F:B5:B6:AC:F9 00:1D:92:C6:24:AA 192.168.0.6 (Arcadyan) (Microstar) 00:30:1B:BO:90:5A (Shuttle) Figure 1: Diagram of the system in Question 1 The switch which hosts the Web Server and the associated management machine with a spanning port which outputs all switch traffic to a dedicated packet monitor. provided Maintaining the integrity and confidentiality of business data within the Development machine is critical to the business. Temporary non-availability of the webserver is not regarded as a problem, but corruption of the website may harm the reputation of the company whose business is software-related. At approximately 15:45 on 20 November, the user of the Development machine (192.168.0.27)