------------------------------------------------------------------------------ Mohamed G. Gouda Network Protocol Security CS 395T Homework 3 ------------------------------------------------------------------------------ 1. [3 points] In designing his mix' construction for the destination to send a reply to the source, David Chaum has used a random string as a symmetric key. Redesign the mix' construction, its inputs, and its outputs such that none of the random strings is used as a symmetric key. ------------------------------------------------------------------------------ 2. [3 points] This homework problem requires you to design a firewall decision diagram for a firewall that protects a private network. In this private network, there is only one server that serves as both an email server and a DNS server. The IP address of this server is 192.168.0.1. This network currently has 49 computers other than the server. The IP addresses used by these 49 computers range from 192.168.0.2 to 192.168.0.50. The firewall has two interfaces: interface 0 which connects the firewall to the outside Internet, and interface 1 which connects the firewall to the private network. The function of this firewall is as follows: 1. The 10 computers, whose IP addresses range from 192.168.0.2 to 192.168.0.11, are not allowed to be accessed from the outside Internet. 2. The server only accepts TCP packets or UDP packets. The value of the protocol type field of any TCP packet is 6, and the value of the protocol type field of any UDP packet is 17. 3. The server is dedicated only to email services and DNS services. The email protocols used by the email services include SMTP (which uses TCP port number 25), POP2 (which uses TCP port number 109), and POP3 (which uses TCP port number 110). To efficiently process multiple connection requests, the email server uses TCP port redirection. The port numbers used in port redirection range from 10000 to 30000. The DNS service uses UDP port number 1949. The traffic to the server that does not belong to any of the above two services is discarded. 4. The computers, whose IP addresses range from 192.168.0.12 to 192.168.0.50, are not allowed to run any of the services that are run by the server, but they are allowed to run any other services. ------------------------------------------------------------------------------- 3. [4 points] The firewalls that we discussed in class can be named "first-match" firewalls. It is possible to define a new class of firewalls, called "mixed-match" firewalls. A mixed-match firewall consists of a sequence of rules, and each rule has a label of either F to denote first match or L to denote last match. If a packet p matches an F rule r and does not match any F rule above r, then the decision of r (whether accept or discard) applies to p. If a packet p matches an L rule r, does not match any F rule above r, and does not match any (F or L) rule below r, then the decision of r applies to p. You are required to write an algorithm whose input is a mixed-match firewall, and whose output is a first match firewall such that the rules in both firewalls are exactly the same except for their order and their labels. (Clearly, the label of each rule in the output first match firewall is F.) -------------------------------------------------------------------------------