CSCI 4174/CSCI 6708 Network Security: Assignment 3: Simulate standard and extended ACLs
CSCI 4174/CSCI 6708 NETWORK SECURITY: ASSIGNMENT NO. 3
Date Given: Tuesday, February 14th, 2023 Date Due: Monday, February 27th, 2023, 11.59 PM Submission: On Brightspace
PLEASE READ - GENERAL IMPORTANT NOTES FOR ALL ASSIGNMENTS:
- It is very important that you use the network tools that you download only for collecting information about your own machine or a self-contained private network. Never use any of the tools for unethical purposes
- All references must be properly cited in your answers. Use IEEE or ACM reference styles Points will be deducted for improper citations and citations in incorrect formats.
- Keep in mind that just because you cite references, you must not “cut-and-paste” from these or other sources. The write-up must be properly paraphrased and referenced.
- Late Penalty Policy: The assignment is due at 11.59 PM on the due date. It will not be marked late up to 5 hours past the deadline. Beyond the grace time, there will be a 10% per day on the mark earned on the assignment. For instance, if your score on the assignment is 8/10 and there is a 10% late penalty, the score will be reduced to 7.2/10. Assignments that are five days past due will not be accepted.
- Submission: Submission will be on Brightspace. Convert your documents into pdf. Submit ONE pdf file containing the answers to all questions.
This is a programming assignment. The first is a “pen-and-paper” exercise which will give you practice on how to write ACLs from given specifications. The second exercise asks you to simulate standard and extended ACLs by coding.
Exercise 1: Study the network diagram carefully and write ACLs for each of the given specifications
(requirements). You must use extended ACLs only when necessary. The ACL must be complete (that is, indicate the router and the interface that you will put it on) and correct (syntactically and must meet the security requirement).
Notes:
- Each of the following specifications is independent of the others. Write the answers to each specification separately.
- Only a few hosts on each network are shown as examples. There could be other hosts on a particular network that are not shown. For example, on the network 170.16.80.0, there could be other hosts in addition to the one shown, namely, 170.16.80.16.
- The “Tower Box” 170.16.70.2 refers to a server. Treat it like any other host IP address. Specifications:
a) Prevent all traffic from the workstation 170.16.10.5 from reaching the workstation 170.16.80.16. Traffic from all other hosts/ networks including traffic from outside should be allowed everywhere. b) Traffic from the network 170.16.40.0 must not be allowed on the 170.16.50.0 network. All other traffic must be allowed on 170.16.50.0 as long as it originates from 170.16.0.0 (that is, outside traffic must not be allowed). c) Workstations 170.16.50.75 and 170.16.50.7 should not be allowed HTTP access to the tower box 170.16.70.2. All other workstations can have HTTP access on the tower box. All other traffic including traffic from outside networks are allowed. d) 170.16.80.16 can telnet to 170.16.40.89. No one else from the network 170.16.80.0 can telnet to 170.16.40.89. Also permit all other traffic to 170.16.40.89, but only if they originate from 170.16.0.0 (that is, do not allow outside traffic). e) 170.16.10.5 can do only ftp access onto any host on the network 170.16.70.0. All other types of traffic from all other hosts are allowed, but only if they originate from 170.16.0.0 (that is, do not allow outside traffic). f) Prevent traffic from the network 170.16.20.0 from flowing on the network 170.16.70.0 (that is, it must not flow on the network in either direction). All other traffic, including traffic from outside can. g) Prevent traffic from the tower box 170.16.70.2 from going outside to the non-170.16.0.0 network. All other traffic can go out.
Exercise 2: Write two programs (one for standard and one for extended) that simulate the processing of an ACL at a router’s interface.
Each program should read two text files, one containing ACL statements, and another containing a list of IP addresses that represent packets coming into the interface. The input to the standard ACL program will be just a list of source IP addresses while the input to the extended ACL program will be a list of source IP address, destination IP address and port number. The program should process each packet according to the ACL statements and decide to permit or deny each packet.
You may assume that the program is simulating the ACL (either in or out) at just one interface. You may also assume that the input files are error-free, that is, you need not check for syntax and IP address errors.
Here’s an example for how the standard ACL program should work: Read Input text file 1 access-list access-list interface ip access-group
3 3 EO 3
deny permit
172.16.4.0 0.0.0.255 172.16.0.0 0.0.255.255
out
Read Input text file 2 (consists of a list of source IP addresses) 172.16.4.1 172.16.3.5 201.15.3.4 Display the following output: Packet from 172.16.4.1 denied Packet from 172.16.3.5 permitted Packet from 201.15.3.4 denied As you can notice, the three packets in the second text file test all the boundary conditions. Here’s an example for how the extended ACL program should work: Read Input text file 1 access-list 101 deny tcp 172.16.0.0 0.0.255.255 172.16.3.0 0.0.0.255 range 20-21 access-list 101 permit ip 172.16.0.0 0.0.255.255 172.16.3.0 0.0.0.255 interface EO ip access-group 101 out Read Input text file 2 (consists of a list of source IP, destination IP addresses and port numbers) 172.16.4.4 172.16.4.4 172.25.3.1
172.16.3.1 172.16.3.5 172.16.3.4
20 22 22
Display the following output: Packet from 172.16.4.4 to 172.16.3.1 on port 20 denied Packet from 172.16.4.4 to 172.16.3.5 on port 22 permitted Packet from 172.25.3.1 to 172.16.3.4 on port 22 denied
You can develop the programs in Java, C, C++ or Python. Make necessary assumptions regarding the spacing of characters in the input text files. Test your program for at least three different standard ACLs and three different extended ACLs, each for several different packets.
Submit your source codes and a text file containing the inputs and outputs.
What to submit: One zip file containing a) PDF file with solution to Exercise 1; b) Source codes for the two programs and c) PDF file containing sample inputs and outputs.
NOTE: You must submit the source codes that the markers can compile and run. You may include a README file if necessary.
