FIT5037: Network Security 1st Assignment Second Semester 2019Document Version: 1.0Submission Guidelines• Deadline: Assignment including creation and sharing of Panopto video recording is due onMonday 16 th September 2019, 08:00 AM.• Submission Files:1. A report in PDF file format of maximum 6 pages as a reference. The appendices areexcluded from the page count.Notes:1. Do not submit a compression of multiple files. Such submissions may risk losing partialor complete assignment marks.2. A handwritten document is not acceptable and will not be marked even if convertedand submitted electronically.• Group Assignment: This is a group assignment with maximum 2 members per group. Youmust form your group in the same tutorial you are enrolled. You may complete theassignment individually however the scope will not be reduced. You may form a group with astudent in another tutorial if there are odd number of students in the tutorial however thismust be communicated with the tutors of both tutorials and the lecturer and you mustattend the interview as a group.• Submission Platform: Electronic submission via Moodle for the report, interview video,python les and CORE emulator conguration les. The compressed le of the containers must besubmitted using another method. The submission approach that will be followed will beannounced closer to submission deadline. Only one submission per group is needed.• Filename Format: Name your files for different assignment tasks as follows. consider thatSID is the Student ID of the group member that will make the submission on behalf of thegroup.Submission via moodle:1. report SID.pdf2. secure modbus server SID.py3. secure modbus client SID.py4. possible security parameter files (eg. files created by openssl)5. wireshark pcap SID.pcap6. core SID.imn7. containers SID.zip (the containers names must be modbusServer and modbusClient)• Required Student Information: Please do not forget to include the name and student idof both group members within the report PDF file content.• Note: You must strictly follow the provided file name format or 5 Marks penalty will beapplied per incorrect filename.• Python code should be written for python version 3 and work on the provided VM withoutany additional library installment apart from the modbus libraries (if is deemed necessary)• Late Submission Policy: Submit a special consideration form (available on moodle) toformally request a late submission.1FIT5037: Network Security 1st Assignment Second Semester 2019• Late Submission Penalty: A late submitted assignment without prior approval will receivea late penalty of 100% deduction per day (including Saturday and Sunday) or part thereof,after the due date and time.• Academic Integrity/Plagiarism: It is an academic requirement that your submitted workbe original. Zero marks will be awarded for the whole submission if there is any evidence ofcopying, collaboration, pasting from websites, or copying from textbooks.Note: Plagiarism policy applies to all assessments.• Grading Procedure:– To receive a grade for the assignment you must create a video recording of maximum30 minutes where you will demonstrate and explain your work using Panoptoplatform (further instructions will be provided via moodle).– You must create the recording and share it with your tutor via Panopto platform by thedue date specified.– Both group members must participate during the demonstration and the face of theperson who is explaining a task must be recorded.– If you have any privacy concern regarding the Panopto platform then you need to raiseit with your tutor and organize an interview at least a week before the deadline for thedemonstration.– You can use the report and any other notes you have prepared beforehand to help youexplain and demonstrate your work.– Both group members will receive the same mark for the assignment. You must bring upany issues within the group as early as possible to the attention of your tutor and mustbe prepared to complete the assignment individually if the conflicts cannot be resolved.• IT Use Policy: Your submission must comply with Monash University’s IT Use Policy.Marks• This assignment is worth 30% of the total unit marks.• The assignment is marked out of 60 nominal marks.2FIT5037: Network Security 1st Assignment Second Semester 2019Assignment Activities1. [30 Marks] This exercise is based on the very popular MODBUS protocol that is widelyused in industrial networks to report a Programmable Logic Controller (PLC) results to aSCADA system. The protocol has a simple structure and was designed primarily to providefast, almost real time response and safety. There are a lot of information that can be foundover the internet on how MODBUS works. We are focusing on the MODBUS version thatruns over TCP. There are two district types of entities in MODBUS, MODBUS server andthe MODBUS client (or MODBUS slave and master respectively). Indicatively, some websitesthat you can find more information on MODBUS are the following:https://en.wikipedia.org/wiki/Modbushttp://www.modbus.org/https://www.modbustools.com/modbus.htmlSome videos on youtube that might help you:https://www.youtube.com/watch?v=txi2p5_OjKUhttps://www.youtube.com/watch?v=JBGaInI-TG4Most importantly you can find a full implementation of the Modbus protocol in:https://pypi.org/project/uModbus/(a) Perform a small analysis of the MODBUS protocol and report the status of the protocolin terms of security. Highlight possible security issues and describe an attack model onthe protocol. Note, that the protocol was not designed to be secure(b) We need to provide some enhancements in order to increase the MODBUS securitystatus. Such enhancements must enforce in MODBUS the security principles of deviceauthentication, data confidentiality and data integrity. To achieve that, design andimplement in python, a simple protocol that will be able to support the above principlesby specifying the following:i. An appropriate key agreement scheme to decide a session key between Server andClient. The session key extraction mechanism must include the use of a salt valueii. The message integrity and encryption/decryption schemes that will be used in orderto secure the communication channelNote: You will need to specify the appropriate security mechanisms and generatethe correct keys/credentials for them(c) After implementing a secure MODBUS Client and Server as two autonomous pythonprograms that can be executed in a single machine, two containers need to be created inthe laboratory VM. One container will refer to the secure modbus server and the otherto the secure modbus client.Use the core network emulation in order to emulate a scenario where the Modbusdevices communicate. For example, you can create a network consisting of a singlerouter with two interfaces each connected to one of the defined virtual bridges and thenassociate the containers with the bridges.(d) Provide a Wireshark capture pcap file where the functionality of the presented protocolis demonstrated. Describe and Analyze the pcap file entries in your report to justify theprotocol correct usage.Notes:(a) For all the cryptographic primitives use the cryptography module of python pyca(https://cryptography.io). If a cryptographic primitive is not supported by theinstalled openssl version on the VM you can use an alternative primitive that achievesthe same goal.3FIT5037: Network Security 1st Assignment Second Semester 2019(b) For the umodbus library you must follow the installation instructions of the website.You will probably need internet access on the VM and/or the containers for installingpip. Be careful to install it for python 3.(c) Your choices of authentication method, key exchange, and symmetric encryptionmethods will affect your grade in this task. Choose algorithms that would be consideredsecure(d) The authentication method does not rely on external services (for simplicity). NotTrusted Third Party should be needed.(e) You can use the example code for the Modbus Server and client as a starting point.Assume that you are performing the Modbus actions described in th
e provided libraryclient/server example.(f) You can use configuration files for both client and server to feed any required informationfor the server and client such as security parameters etc. Python provides easy to useand powerful functions for reading and parsing files or strings. Few examples are:i. YAML where the content can be read directly to python data structures.ii. Simplified INI file where options are specified as keyword=value one per line forwhich you can use the split() function to separate the keyword from the value.Similarly you can use keyword value with one option per line (space as separator aswell as any other character that will not appear as part of the keywords or values).iii. For simplicity you can use os.urandom() function directly for random valueswhenever needed in your protocol. You can also use the python random library.iv. You can mimic a simplified version of protocols you learn in the subject regardingnegotiation, authentication, key exchange, key derivation, and encryption used inyour protocol.v. To start you can use the VM as both client and server and once you completed theprotocol test it in two separate containers.2. [30 Marks] Let us assume that we have the network that is provided in your individualizedCore Network Emulator configuration file (use only one of the two members file). Thenetwork includes a factory organization that has two structures. One of them is the actualfactory (in a physically remote location) and the other is the factory central facility. In theremote location there is an industrial network with PLCs and modbus sensors that arecollecting data and sending them to a SCADA Entity installed in the central factory facility.Also, the factory has a web-site that is accessible to all users (in the central facility) and alocal webserver in the remote factory premises for factory personnel only (that are in thecentral factory network or the remote factory premises)(a) [15 Marks] In this task, you will try to provide a security mechanism for modbus thatis different than the previous one. This time you need to use VPN. Thus, you willconfigure a VPN between the remote factory facility and the central factory of acme.sec.For this you will use two containers one for the modbus server and one for the modbusclient that need to be assigned to the appropriate virtual interfaces of the COREemulator configuration file.i. You need to create a site-to-site IPsec VPN using strongswan extension of COREbetween the two gateway nodes of the network (ie. bast (factory) and osiris (centralfacility).ii. The VPN gateways must use public key authentication and Fully Qualified DomainNames (FQDN) that match the CN (Common Name) field in their certificates.iii. Using the above presented solution, what kind of security principles (or objectives)are achieved? Does the VPN solution solves all Modbus security problems? Justifyyour answer in the report and the interview.4FIT5037: Network Security 1st Assignment Second Semester 2019Note: The DNS records are created for this task.(b) [15 Marks] In this task, you will work with the original configuration file that isprovided to you and the attached modbus containers on this emulated network. You willneed to configure appropriate firewall rules on the bast and osiris gateways to protectthe network appropriately. More specifically:i. The modbus communication between the client and the server should be possible.Note that typically Modbus uses a specific port.ii. The Acme central website must accessible to all usersiii. The Acme remote factory website must be accessible only to the central facilityusers.iv. The firewall on bast must protect the factory network against any otherunauthorized communication. This includes the gateway itself.v. The firewall on osiris must protect the central facility networks and the DMZ againstany other unauthorized communication. This includes the gateway itself. Note: Usethe firewall service in security section of services on bast and osiris for this task.5
