Question 2. WiFi Security and Authentication

You are tasked with designing a network upgrade for a local business. The business currently has a wired network (Ethernet LAN) across three floors of their office building, connecting approximately 40 desktop computers, several servers and 10’s of other devices (e.g. printers, payment terminals, machinery). There are currently 70 full-time and part-time employees, some working in the office while others are outside or in an external workshop. The network and servers are currently setup with a centralised authentication server, e.g. a user can login with their username/password from any computer on the network. The network upgrade has two main components: 

• A wireless LAN to allow all employees access to the internal network from within the office, outside and in the workshop. Customers of the business may also be granted guest access to the wireless LAN. The wireless LAN will most likely need more than 15 APs and have 100 to 150 clients.

• A VPN to allow selected employees to access the internal network from home or when visiting customers at other locations. 

Assume the network has the following internal servers:

• A web server that supports HTTPS only and is accessible to the public.

• An email server accessible to the public.

• A SSH server accessible only to a small selection of employees when they are outside of the network. (The VPN is not needed for these employees to access the SSH server)

• A server application running a custom TCP-based application protocol that the company has developed. The protocol uses port number WXYZ, where WXYZ are the last 4 digits of your Student ID. For example, with student ID 12345678, the port is 5678. For student ID 12340321, the port is 321 (since the first digit is 0). 

Assume NAT is not used in the network – all internal devices have public IPv4 addresses.

The business has one IT employee who is capable with computer networking (e.g. they previously setup the wired LAN), but has little knowledge of security. Answer the following questions assuming that you are explaining to the IT employee (as they need to build the network). 

(a) Draw a network diagram that illustrates the wired network, wireless network, and VPN. You should not draw all users and devices; only draw a sample of the users and devices. For example, several switches, several APs, several wired computers, several WiFi users, 1 or 2 VPN external users. (Several may be 2 to 5). Also, clearly indicate which portions of the network have data encrypted due to either WiFi encryption or the VPN (for example, mark those paths that have encryption in red or some other clear label).

(b) Draw a table that lists the names, IP addresses and ports of each server. You may choose any IP address range. 

Now consider the wireless LAN security mechanisms that may be considered as options.

(c) Explain how MAC address filtering works as a security mechanism. Your explanation should make it clear to the IT employee what they would need to do if it was chosen to be implemented.

(d) Discuss the advantages and disadvantages of using MAC filtering, and give a recommendation to the IT employee whether to use it or not. The recommendation should be clearly justified (e.g. referring to the advantages and disadvantages).

Consider two approaches to setup authentication with the wireless LAN: simple and centralised.

(e) A simple setup to provide authentication and encryption would be to use WPA2 Personal. Explain to the IT employee what they would need to do to setup WPA2 Personal on APs and employee computers (including mobile phones).

(f) Rather than having a single key/password for all WiFi devices, the IT employee wants individual company employees to use their existing username and password (from the centralised authentication server) to get access to WiFi. Explain what the IT employee would need to setup.

Now consider the centralised authentication server used in the business, which uses Linuxbased authentication. The IT employee has informed you that a past employee (who has since left the business) most likely stole a copy of the /etc/passwd and /etc/shadow file from the authentication server. They told you the system used MD5 without a salt.

(g) Explain to the IT employee how the past employee could find the password of the Manager of the business from the stolen files. Refer to the specific files and information in those files, and give the steps of what the past employee would do.

(h) Recommend to the IT employee a more secure method for password storage in Linux, referring to specific algorithms and/or data to be stored. Explain why it is more secure.

Now consider the password policy for the organisation.

(i) Write a password policy for the company. The policy must give rules for how new users are registered with the systems, as well as how existing users change their passwords (including forgotten or wrong passwords). Each rule in the policy must be classified as “must” (it is required), “should” (it is required unless there is a good reason for not applying it), or “may” (optional). Each rule be justified/explained. The policy must make a reasonable trade-off between security and convenience. For example, “All users must use a 30-character random password” is a poor policy design (too inconvenient), as is “All users must use their last name as a password” (too insecure). 

Finally, the company is considering issuing every employee with a special USB token that can be used for user authentication. There are two modes in which the tokens can be used: one mode requires the users to enter a password and have the token; another mode allows users to login without entering the password if they insert the token into a company computer.

(j) For password plus token mode, explain the advantages and disadvantages of this authentication approach compared to using only passwords.

(k) For token only mode, explain the advantages and disadvantages of this authentication approach compared to using password plus token mode.