System & Network Administration Page 1 of 14

Answer ALL questions

This paper carries a total of 100 marks

Learning Outcomes Questions

Explain the role and operation of each of the software components 1 (30 marks)
essential to a corporate networked information system (C2, PLO1)

Evaluate proposed improvements to [q2] the configuration of a 2,3 (35 marks)

corporate networked information system and [q3] the associated
administration policies and procedures (C4, PLO 2)

Question 1 [30 marks]

a) The first phase of DHCP involves the client sending out a DHCPDISCOVER
message. Why is this message sent out as a broadcast message, rather than a normal
unicast message? List and briefly describe the other 3 messages that are exchanged.
[12 marks]

Dynamic Host Configuration Protocol (DHCP) is a client/server protocol that

automatically provides an Internet Protocol (IP) host with its IP address and other
related configuration information such as the subnet mask and default gateway.

Level 2 Asia Pacific University of Technology & Innovation 202108

System & Network Administration Page 2 of 14

The message is sent out as a broadcast. If the network contains routers, those routers can
be configured to forward DHCPDISCOVER packets to DHCP servers on attached
networks. ... This message is broadcast to the entire network to let all DHCP servers
know which server was selected.

(Broadcast messages are sent to all stations in the network. Whereas an unicast

message is only sent to one station on the network. Multicast messages are sent to a
group of stations, for example video cameras type.)

Assuming all went well with the DHCP discovery process, the correct sequence of DHCP
messages exchanged between the server and client is: DHCPDISCOVER ->
DHCPOFFER -> DHCPREQUEST -> DHCPACK. A client sends a DHCPDISCOVER
message with a source address of 0.0.0.0 and destination address of 255.255.255.255
(broadcast). A server that received the DHCPDISCOVER message will respond with a
DHCPOFFER messa. This message contains initial configuration information for the
client. After the client receives a DHCPOFFER, it responds with a DHCPREQUEST

Level 2 Asia Pacific University of Technology & Innovation 202108

System & Network Administration Page 3 of 14

message, indicating its intent to accept the parameters in the DHCPOFFER, and moves
into the Requesting state. Finally, after the server receives the DHCPREQUEST, it will
respond with a DHCPACK message, thus completing the initialization process.

Following are the important messages exchanged between a Dynamic Host

Configuration Protocol (DHCP) client and a DHCP Server.

i. DHCPDiscover Message
DHCP client sends a DHCP Discover broadcast on the network for finding a DHCP
server. If there is no respond from a DHCP server, the client assigns itself an Automatic
Private IPv4 address (APIPA).

ii. DHCPOffer Message

DHCP servers on a network that receive a DHCP Discover message respond with a
DHCP Offer message, which offers the client an IPv4 address lease.

iii. DHCPRequest Message

Clients accept the first offer received by broadcasting a DHCP Request message for the
offered IPv4 address.

iv. DHCPAcknowledgment Message

The server accepts the request by sending the client a DHCP Acknowledgment message.

Level 2 Asia Pacific University of Technology & Innovation 202108

System & Network Administration Page 4 of 14

b) Why does the Gateway in our network need several network interfaces? Why is it
necessary to assign the IP addresses for these interfaces permanently in /etc/hosts
rather than dynamically through DHCP? [8 marks]

Multiple network interfaces enable you to create configurations in which an instance

connects directly to several VPC(Virtual Private Cloud) networks. Each of the
interfaces must have an internal IP address, and each interface can also have an external
IP address.

Typically, you might require multiple interfaces if you want to configure an instance as a
network appliance that does load balancing, Intrusion Detection, and Prevention
(IDS/IPS), Web Application Firewall (WAF), or WAN optimization between networks.
Multiple network interfaces are also useful when applications running in an instance
require traffic separation, such as separation of data plane traffic from management plane
traffic.

(In essence, IP addresses are the identifier that allows information to be sent between
devices on a network: they contain location information and make devices accessible
for communication. The internet needs a way to differentiate between different
computers, routers, and websites.)
It necessary to assign the IP addresses for these interfaces permanently in /etc/hosts rather
than dynamically through DHCP because a mapping of IP addresses to URLs may be
found in the /etc/hosts file. The /etc/hosts file is used by the browser to override the DNS
server's IP-address-to-URL mapping. This is helpful for testing DNS changes and SSL
setup before going live with a website. The Internet Protocol (IP) host names and
addresses for the local host and other hosts in the Internet network are stored in the
/etc/hosts file.

Level 2 Asia Pacific University of Technology & Innovation 202108

System & Network Administration Page 5 of 14

c) 1. In the Unix/Linux operating system, what do we expect to find in /etc and in

/etc/rc.d? [4 marks]

The /etc (et-see) directory is where a Linux system's configuration files live

The etc/rc.d contains the scripts that control the services, run at boot time.

( Also, It contains scripts to use to control the starting, stopping and restarting of
daemons)

2. Explain three differences between /etc/passwd and /etc/shadow [6 marks]

 /etc/passwd file aims at user account details while /etc/shadow aims at the user’s
password details.
 the passwd file is world-readable. shadow file can only be read by the root
account.
 The user’s encrypted password can only be stored in /etc/shadow file.
 pwconv command is used to generate a shadow file from the passwd file if it
doesn’t exist.
 passwd file exists by default when the system is installed.
 passwd file information is more of a static (home directory, shell, uid, gid which
hardly changes)
 shadow file information changes frequently since its related to password and user
password changes frequently (if not, password policies are loosely defined!)

Question 2 [35 marks]

a) OpenVPN and stunnel both use the concept of “encapsulation” to provide secure
network communications, but one uses the concept of “port forwarding” while the
other one uses the concept of “virtual devices”. Describe these 3 key concepts and
how they work. [15 marks]

 Encapsulation: By definition, encapsulation describes the idea of bundling data

and methods that work on that data within one unit, like a class in Java. This

Level 2 Asia Pacific University of Technology & Innovation 202108

System & Network Administration Page 6 of 14

concept is also often used to hide the internal representation, or state of an object
from the outside. This is called information hiding.

 Port forwarding: (Concept used by stunnel) allows remote computers (for

example, computers on the Internet) to connect to a specific computer or service
within a private local-area network (LAN).
Port forwarding, sometimes called port mapping, allows computers or services in private
networks to connect over the internet with other public or private computers or services.
Port forwarding achieves by creating an association called a map between a router’s
public, wide area network (WAN) internet protocol (IP) address and a private, local
area network (LAN) IP address for a device on that private network.

 Virtual device: Virtual device is a program that manages a system resource,
such as a hardware device or installed software, so that more than one
application can use the resource at the same time. Windows uses virtual devices to
allow multitasking for Windows-based applications. Virtual devices allow numerous
PCs, virtual machines (VMs), virtual servers, and other devices to communicate
across many offices and data centers. Virtual devices expand these capabilities by
utilizing software administration to link computers and servers via the Internet,
whereas physical networking uses cables and other hardware to connect computers.

b) Compare a CNAME record and a VirtualHost directive. What is their common

purpose? How are they different? [10 marks]
In the Domain Name System (DNS), a Canonical Name (CNAME) Record is used to
create an alias from one domain name to another, whereas VirtualHost directive refers to

Level 2 Asia Pacific University of Technology & Innovation 202108

System & Network Administration Page 7 of 14

the practice of hosting several websites. VirtualHost can be IP-based, which means that
each web site has its own IP address, or name-based, which means that each IP address
has several names operating on it.
Their common goal is to deliver Web services, such as server functions and Internet
connectivity. They offer domain name registration, file storage and directory services for
the files that make up a Web page, e-mail services, and even website design and
development.
CNAME Record VirtualHost directive
Uses a different hostname for particular Uses a single IP address to host several
network services, such as email or FTP, name-based web domains.
and directing it to the root domain.
Can have the same domain registered in The configuration directives included in the
many countries and directing the national <VirtualHost> section is used by the server
versions to the main ".com" domain. when it gets a request for a document on a
certain virtual host.
A CNAME record must always link to a VirtualHost must correspond to a distinct
different domain name rather than an IP server IP address, port number, or host
address. name.
CNAME records are used to map a They're used to encapsulate a set of
subdomain, such as www or mail, to the directives that only apply to one virtual
domain that hosts the content for that host.
subdomain.

c) What does ACL stand for? What is the relationship between an ACL and a firewall?
[10 marks]

Level 2 Asia Pacific University of Technology & Innovation 202108

System & Network Administration Page 8 of 14

An access control list (ACL) contains rules that grant or deny access to certain digital
environments. There are two types of ACLs:

 Filesystem ACLs━filter access to files and/or directories. Filesystem ACLs tell

operating systems which users can access the system, and what privileges the users
are allowed.
 Networking ACLs━filter access to the network. Networking ACLs tell routers and
switches which type of traffic can access the network, and which activity is allowed.

Question 3 [35 marks]

Level 2 Asia Pacific University of Technology & Innovation 202108

System & Network Administration Page 9 of 14

a) AAA (Accounting, Authentication, Authorisation) is a framework for configuring

three independent security functions consistently. Which one of the "3As" is each of
these most closely related to? Why? [1] Intrusion detection system (Authorization)
[2] Packet filter(Accounting) [3] Username + password ( Authentication) [15
marks]

The AAA Framework for Identity Access Security

The AAA Framework is a simple way to understand security
issues surrounding the access ability of individuals within an
organization. The Internet Engineering Task Force researched
and coined the acronym in the early 2000s. The 3 As stand for
Authenticate, Authorize and Account. Understanding and
crafting policies around this framework can help make
systems more secure.
Using the AAA Framework and drilling down into the
components helps people understand the basic nuances of
identity security.

1. Intrusion detection system: Authorisation

An Intrusion Detection System (IDS) analyzes network traffic for suspicious behavior
and generates warnings when such activity is detected. It is a piece of software that
monitors a network or a system for malicious activities or policy violations. Additionally,
intrusion prevention systems monitor network packets entering the system in order to
detect malicious activity and immediately issue warning alerts. By identifying and
alerting you to suspect network traffic, an IDS helps you to strengthen the security of
your network devices and important network data. Your network needs strong security to
safeguard existing data and data flows between internal and external networks. With the
sophistication and frequency of cyberattacks rising, it is critical to have a comprehensive
and adaptive intrusion detection system. In addition to enhancing network security, an
intrusion detection system may aid in the organization of vital network data.

Level 2 Asia Pacific University of Technology & Innovation 202108

System & Network Administration Page 10 of 14

Every day, your network creates a large amount of data, and an intrusion detection
system may assist you in differentiating between vital and non-essential activities. By
assisting you in determining which data to monitor, an intrusion detection system may
save you the time and effort associated with searching through hundreds of system logs
for crucial information.

2. Packet filter: Accounting

Packet filtering is a firewall method that is used to restrict network access by monitoring
outgoing and incoming packets and allowing or denying them access depending on the
source and destination Internet Protocol (IP) addresses, protocols, and ports. Filtering
packets verifies the source and destination IP addresses.
Certain packet filters are not clever and are incapable of remembering previously used
packets. Other packet filters, on the other hand, can remember previously used packet
elements, such as source and destination IP addresses. In most cases, packet filtering
provides an effective defense against assaults from computers located outside a local area
network (LAN). Due to the fact that the majority of routing devices provide built-in
filtering capabilities, packet filtering is often regarded a conventional and cost-effective
method of security. Accounting is accomplished by the tracking of session statistics and
use data. It is used to manage authorizations, billing, trend analysis, resource
consumption, and data capacity planning for company operations.

Level 2 Asia Pacific University of Technology & Innovation 202108

System & Network Administration Page 11 of 14

3. Username + password: Authentication

A password is a combination of letters and numbers that is used to authenticate a user's
identity during the authentication process. Passwords are frequently used in conjunction
with usernames; they are intended to be known only by the user and to grant access to a
device, application, or website. When individuals enter into a computer system or online
service, they use this name to identify themselves.
User authentication is a security procedure that encompasses all interactions between
humans and computers that need the user to register and log in. When a person creates an
account, they must establish a unique ID and password that will enable them to
subsequently access their account. While a username and password are frequently used as
the ID and key, credentials can also comprise other types of keys. In essence, user
authentication is what allows users to access their own accounts repeatedly while striving
to prevent unauthenticated individuals from getting access. User authentication is critical
to understand since it is a critical stage in the process of preventing unauthorized users
from gaining access to sensitive information. The AAA server validates a user's
authentication credentials against those stored in a database, in this instance Active
Directory. If the user's login credentials are identical, the user is permitted network
access. If the credentials do not match, authentication will fail and access to the network
will be banned.

b) Alice is thinking of making all users change their password every month. Why would
she think this is a good idea? Bob is trying to convince her not to do this. What are his
arguments against this policy? [8 marks]

The Pros of Password Expiration Policies

Multiple Account Breach Limits: It can be tempting to use the same password for all of
your accounts, whether for computers and network equipment or online accounts, as
remembering a single one is much easier. However, this also implies that if someone
cracks your password, he or she will have access to all of your accounts. By changing
your passwords to something unique and different for each account, you ensure that even
if someone guesses one password, he cannot use it for anything else.

Level 2 Asia Pacific University of Technology & Innovation 202108

System & Network Administration Page 12 of 14

Prevent Perpetual Access: Not all hackers take only what they require and then flee. At
times, hackers may maintain access to your account indefinitely, either to watch your
data or to continue stealing information. Because determining if someone else is using
your account can be difficult, changing your password frequently reduces the possibility
that other individuals will have frequent access to your accounts. To be safe, consider
changing your password every few months.
Reduce the amount of guesswork: If you use the same password over an extended
period of time, you increase the likelihood of someone guessing it. Whether it's from
someone watching you constantly enter in your password or someone attempting to guess
it, the longer you keep the same password, the longer people have to try to figure out
what it is. Allow no one to monitor your account logins and avoid using short, easy-to-
guess words or phrases.
Choosing an Effective Password: When creating a new password, you want to create
something that is resistant to guesswork and hacking efforts. While you may be tempted
to select a lengthy password, remember that quality trumps quantity. Hacking tools are
capable of determining passwords by mixing random words and phrases, as well as any
personally identifiable information.

The Cons of Password Expiration Policies

1. It Encourages Poor Password Hygiene
In an ideal world, all users would pick a unique and complex password every time they
are prompted to create a new password. However, this isn’t the world we live in. We’re
living in the digital age where we have to remember multiple username and password
combinations just to do our jobs or experience the benefits of the modern world in our
personal life.
When users are faced with remembering so many passwords and they also have to
remember a new password every 30, 60, or 90 days, they are much more likely to pick a
weak password or a slight variation of their previous password. Users also get frustrated
with the process of resetting their passwords and remembering new ones on a regular
basis.

Level 2 Asia Pacific University of Technology & Innovation 202108

System & Network Administration Page 13 of 14

2. If you need to change your password frequently, you're likely to use an easy-to-
remember one. And what you gain in ease of recall comes at the expense of password
complexity, making it easier for a would-be attacker to pick your lock effectively.
3. If we're constantly changing our passwords, we're far more likely to forget what
we've changed them to even more so if we use separate passwords for multiple logins,
we are probably going to forget our password frequently.

c) Bob wants to protect a plaintext file of user information (like Dovecot's

/home/vmail/mail-pwd). Alice suggests this can be done with a special owner and
particular permissions on the file and the directory where it is stored. How would this
be done? How does each of these measures help restrict access? [12 marks]
Permissions, alternatively termed rights or privileges, establish a user's or group's level of
access to files or folders. Permissions can be strict, such as the ability to view a file, or
loose, such as allowing users to change a file. Three types of users can be assigned
ownership of files using file permissions:
 User: The owner of a file or directory, which is often the user who created it. The
owner of a file can specify who has the authority to read it, write to it (make changes
to it), or execute it if the file contains a command.
 User group: Members of a user group.
 Others: All other users who are neither the file owner nor group members.

Permissions are used to control who has access to and the ability to modify the files and
directories contained within their file systems. Each file or directory has three
fundamental permission types: read, write, and execute.

 read - The Read permission specifies a user's ability to read a file's contents.
 write - The Write permissions specify a user's ability to create, alter, or delete a file or
directory.
 execute - The Execute permission controls whether a user can run a file or inspect the
contents of a directory.

Level 2 Asia Pacific University of Technology & Innovation 202108

System & Network Administration Page 14 of 14

Permissions can be viewed by inspecting the file or directory's permissions or by

inspecting the output of the "ls -l" command while in the terminal and working in the
directory containing the file or folder.

Symbol  Permission  Object  Description 

r Read  File  Only authorized users have the ability to open

and read the contents of a file.

    Directory  Users with the appropriate permissions can view

the contents of the directory.

w Write  File  The file's contents can be modified or deleted by

designated users.

    Directory  Users with appropriate permissions can create

files or links in the directory. Additionally, they
can delete files or directory links.

x Execute  File  If the file is a program or shell script, it can be

executed by designated users.

    Directory  Users with the appropriate permissions can open

and execute files in the directory. Additionally,
they can keep the directory and its subdirectories
current.

We can secure the files contained in a directory and its subdirectories by configuring the
directory's file permissions to be restrictive.

Level 2 Asia Pacific University of Technology & Innovation 202108