Question

1. A Client-side digital signature can be used to authenticate to a web server through SSL, but confidentiality can still be vulnerable to attack. Identify a type of attack to which the use of SSL is vulnerable and justify your answer.

2. Discuss the benefits of MPLS LSP (multiprotocol label switching label switched path) to support high availability of service with illustration of use for Push, Swap and Pop.

3. The manager wishes to access confidential company data while travelling to meet high profile clients across Australia and overseas. Recommend a security solution using case examples with external reference(s).

4. You want to assist customers in building trust with your company. Discuss with your manager three VPN deployment trust building measures that can be used to support these customers, and comment on the related cost to achieve them.

Answer 1

1

Heartbleed vulnerability

Heartbleed bug is a vulnerability in the OpenSSL, a popular open source cryptographic library that helps in the implementation of SSL and TLS protocols. This bug allows attackers to steal private keys attached to SSL certificates, usernames, passwords and other sensitive data without leaving a trace.

Poodle SSL

The POODLE is a form of a man-in-the-middle attack that exploits the vulnerability in the CBC encryption scheme as implemented in the SSL 3.0 protocol. Though POODLE is not as serious as the Heatbleed vulnerability, best practices recommend you discover and mitigate the problem as quickly as possible.

SSL 3.0 enabled

It has been discovered that SSL 3.0 protocol has a flaw in its design that makes it vulnerable to man-in-the-middle attacks. If you have a public facing website dealing with payments, you should immediately discover all servers that exploit SSL 3.0 and upgrade to TLS version.

Weak cipher suites

Many organizations knowingly or unknowingly exploit weak SSL protocols and cipher suites in their domain servers which makes their website vulnerable to various MITM attacks. To play safe, they have to identify those weak ciphers, disable them and re-configure the domain servers. By default, SSL 3.0 is disabled on Key Manager Plus server, which is a weak SSL protocol. In addition, Key Manager Plus scans the end-point servers and flags the weak ciphers used in the TLS (1.0,1.1 and 1.2) protocol.

2

Multi-protocol label switching (MPLS), that venerable WAN workhorse launched at the turn of the century, addresses this problem by establishing pre-determined, highly efficient routes.

MPLS supports traffic engineering thus allowing network organizations to associate a Label-Switched Path (LSP) with whatever physical path they choose. MPLS also supports constraint-based routing, which ensures that an LSP can meet specific performance requirements.

Pushing is the act of applying an additional label to a packet. The packet might already have a label on it, since MPLS can support multiple stacked labels. This pushing is normally done at the ingress LER, at the edge of the network. The LER requires a mapping so that it knows what data to put on an LSP. It might also be performed in the core of a network where multiple LSPs are aggregated or encapsulated inside another LSP.

Popping is the act of removing the outermost label from the packet. One or more labels might still be inside. Popping is normally done at the egress LER. LERs must do an additional lookup to decide how to forward the encapsulated packet. Penultimate routers will pop the label but will only forward the unencapsulated packet according to the lookup table for the LSP.

Swapping is the act of replacing a label. The inside of the labeled packet is never inspected. The swapping is done by LSRs. The EXP field is used to define how the packet should be queued, and the TTL is decremented. If TTL equals zero, the packet will be discarded.