1. Why is the authentication header (AH) mode of IPSec incompatible with network address translation (NAT) schemes?

2. A corporation wishes to establish secure communications between 2 of its branches over the Internetusing a virtual private network. Confidentiality and integrity of the exchanges must be protected at all times. In addition, the chosen scheme must protect against traffic analysis and replay attacks.  Make some recommendations about how you would implement IP-level security for this use case.Indicate how you would configure the corporate machines (internal machines, gateways, firewalls), and which IKE Security Associations would be necessary. Also indicate which key materials are needed and how they are distributed/acquired.

3. Your company wants to protect its WLAN againsteavesdropping and traffic injection. In addition, your company wants to reduce the risk ofconnecting to an evil twin access point (an unauthorized AP masquerading as an authorized AP by beaconing the WLAN's service set identifier (SSID) to lure users). Your company uses X.509 certificates authentication in its remote access VPN and would like to re-use those credentials on its WLAN.

Whichsecurity measures would you recommend adopting? Please specify which wireless security protocols and which type of Extensible Authentication Protocol should you choose for use with 802.1X?

4. An example of a host-based intrusion detection tool is the tripwire program. This is a file integrity checking tool that scans files and directories on the system on a regular basis and notifies the administrator of any changes. It uses a protected database of cryptographic checksums for each file checked and compares this value with that recomputed on each file as it is scanned. It must be configured with a list of files and directories to check, and what changes, if any, are permissible to each.

It can allow, for example, log files to have new entries appended, but not for existing entries to be changed. What are the advantages and disadvantages of using such a tool? Consider the problem of determining which files should only change rarely, which files may change more often and how, and which change frequently and hence cannot be checked. Hence consider the amount of work in both the configuration of the program and on the system administrator monitoring the responses generated.

5. Can a stateless firewall prevent against probing a specific port without preventing all communication to that port? Why or why not?

6. A corporation wishes to offer a web product for the first time. They need Web (http) services, ftp and mail. In addition, they want to use H.263 video streaming for conferencing.

Design a DMZ with firewalls that provides the best possible protection. Explain which type(s) of firewall you are using and why. Specify all the firewall rules similar to Table 12.1 or 12.2 in your textbooks. Give a general description of your design and explain any issues or problems.

7. Consider the following email message:

MIME-Version: 1.0

From: Bob

To: Alice

Date: Fri, 07 Oct 2014 16:15:05 -0700 (PDT)

Subject: Important reminder

Content-Type: application/pkcs7-mime; smime-type=enveloped-data;

name=smime.p7m

Content-Transfer-Encoding: base64

Is it possible for Darth to intercept and read the message? Explain?

8. Consider the following email message:

Is it possible for Alice to prove that indeed Bob sent that message to her? Explain?