Gurpreet Singh Roll No 17 FINAL-DP

8/7/2019 Gurpreet Singh Roll No 17 FINAL-DP

1/56

DESIGNPROBLEM-1

SUBJECT CODE :

CSE 366

SUBMITTED BY :SUBMITTED TO:

Name: Gurpreet Singh Lec. Mr.Ramandeep Singh

Roll No: 17 Department of CSE

Sec No: RA1805 LOVELYPROFESSIONAL


2/56

Group No: G2

UNIVERSITY

Reg. No: 10805721

Design Problem 1

Problem:Q1)A university has several academic functions as on organization .Themanagement decides to access the computers in examination cell and thestudents are not allowed to access any information in the stored on thecomputers in examination cell suggest a solution in your Operating Systemstate clearly the assumptions that you have made.

Expectations

a) State some of the vulnerabilities in the operating system which can beexploited remotely.

b) Clearly design a network of university for which you have to implementthe solution.

c) Develop a policy of how machines should be allowed the access to theexamination cell computers which are to be safeguarded.

d) State the role of system administrators in this process.

e) Give IPTABLES for the network you have thought.

f) What more changes would you do on the machines to make themsecure.


3/56

SERIAL

NO. CONTENTS PAGE

NO:1. BRIEF INTRODUCTION

2. VULNERABILITIES INOPERATING SYSTEM

2.1 Conclusion

3. DESIGN OF NETWORK

Virtual private network

3.1 Definition

3.2 Vpn components

A)PROTOCOLS

B)SECURITY

1.Encryption

2.Authentication

3.3 FIREWALL


4/56

packet filtering firewalls

application level firewalls

3.4 VPN EXAMPLE

3.4 VPN INSTALLATION

3.5 VPN ADVANTAGES

4. ONLINE ENHANCEDSECURITY SYSTEM USINGGROUP CRYPTOGRAPHY

4.1 OVERVIEW(GROUPS)

4.2 ABBREIVIATIONS

4.3 ASSUMPTIONS ANDSAFEGUARDS USED

4.4 ARCHITECTURE FORSECURED ONLINE EXAMSYSTEM

5. ROLL OF ADMIN INCODUCTING ONLINE EXAMSUCCESSFULLY

5.1 SECURE INTRAGROUP

COMMUNICATION CONTROL

SET UP EXAM ENV

SET UP ONLINE EXAM


5/56

CONTROL EXAM

5.2 SITUATION AFTER

COMPLETING ONLINE EXAM GRADING AND APPEALING

5.3 secure intergroupcommunication control

5.3.1 completeness of systemmodeling

6. IP TABLES IP TABLE DEFINITION

IP TABLES

IP TABLE COMMANDS

SOLUTION TO SPECIFIC IP TABLES

7. EXTRA SECURITY (MORECHANGES TP MAKEMACHINES SECURE)

8. CONCLUSION TO OVERALLPROBLEM

1. INTRODUCTIONOnline education has expanded rapidly in this modern world . Even so,the off-line test is usually chosen as the evaluation method for both off-lineeducation and online education. We do various online exams in our Lovely


6/56

professional university, e.g NEAT, INFOSYS CAMPUS CONNECT EXAMSAS PER MODULES etc.

The security of online examinations remains a problem. In somecases, the person writing the exam on a networked computer is

monitored by a proctor at some predetermined location. But, therequirement for an exam location goes against the accessibility, the majorattraction of e-learning or distance learning . The requirement may alsonegate the cost savings generated by e-learning or pose obstacles for remotestudents. Implication and automation of educational processes are otherbenets of online education and online exams inherit these advantages.

To remove the requirement for human intervention in secure onlineexam management so as to capitalize on the advantages of onlineprocesses, the whole of the design problem solution given by me proposes asolution to the issue of security and cheating for online exams .

This solution uses an enhanced Se curity Control system in the On line Exam. Which is based on group cryptography with an e-monitoringscheme? The cryptography supports enhanced security control for the onlineexam process, as well as authentication and integrity .

The e-monitoring provides a proctor function to remote examinees toprevent cheating , and thus removes the requirement of having to goto a xed location . The primary motive of this solution given by me isonline exams for mathematics or English contests in middle are high school,

and exams in online university courses with students at remote locations.

This solution made by me discusses the problem of administering anonline exam at a xed time with the same questions for allexaminees, just like an off-line exam, but with out restricting the physicallocation of the examinees. As the Se curity C ontrol system in the On lineExam system enables many kinds softest to be given online, it can provideteachers with better evaluation standards for students and may contribute toimproving the quality of education.

2.VULNERABIITIES IN OS

The requirements for a secure online exam whichare not generally supported by OS used by


7/56

machines or that should be followed are given asbelow: .

Accessibility : The security problems related toonline exams include not only unauthorized access tothe problem sheets before the exams , but alsomodifications of the questions , the answers .Authentication through only a user name and passwordcan be the weak point in the security of online exams.

The very environment in which students can use a Webbrowser and the Internet enables them to search theInternet and to communicate with others for help during

the exam . Online exams should be possible withoutregard to location and time.

Monitoring: The absence of proctoring on onlineexams may relax the examinees and encouragecheating . Therefore, it is necessary for an onlineexam management system to have some monitoringmethod to prevent and to detect cheating.

Management: Online exam management includesproblem creation, problem sheet distribution,answer sheet collection, marking, grade posting,and handling of appeals. The cost savings of online exams mitigate the burden of examenforcement and induce many examinees locatedat very remote sites to participate in the exam .Educators can obtain more objective standards forevaluation.

An online exam should also have the followingfeatures :

Authenticity : The identities of the examinee,examiner, marker, and proctor should be allauthenticated and verified at every step in the online


8/56

exam process, because it is difficult to identify themface-to-face online.

Integrity Problems and answers should both bechecked for their integrity, to detect unauthorizedchanges. Only one submission of the answer sheetshould be allowed, and the submission of answers afterthe exam has ended should be prohibited. Theunauthorized deletion or the modification of thematerials related to the exam should be impossible, orat least detectable. This is what is basically thepresent problem of the operating systems and I

m trying these objectives/goals to come truewith the solution I will give in this design problemlater on.

Security problem: The problem sets should beavailable to the examinees only during the examperiod. The answer sheets should be kept securely

before grading.Copy Prevention and Detection Types : Copyprevention and detection type of cheating discussed inthis whole document designed by me are

Impersonating an examinee.He/she is getting help from others, or helping anexaminee with the exam.He/she is discussing the exam with others;using unauthorized electronic material that may behelpful in completing the exam; andintercepting or interfering with communicationsduring an online exam.

Cheating should not be permitted during the exam,or at the very least, should be detected after thefact.


9/56

Conclusion: In the end I can say that the abovediscussed problems like secrecy, proper monitoring,copy case detection, integrity, accessibility withsecurity are not basically supported by theoperating system when the student are giving any of the online test whether it at the university level or countrylevel, To overcome this I have simultaneously given thesolution above as well and also in the later on sections, so

keep on reading this document designed by me.

3.VIRTUAL PRIVATENETWORK (VPN)

Definition: A VPN is a combination of software andhardware that allows mobile employees,telecommuters, business partners, and remote sitesto use a public or "unsecured" medium such as theInternet to establish a secure, private connection


10/56

with a host network. With a VPN deployed acrossthe Internet, virtual private connections can beestablished from almost anywhere in the world.

Example diagram showing VPN:

(Fig: A simple VPN) These VPN became more popular when moreemployees worked in the remote access area.

3.2) VPN Components : The componentsof VPN are given as:

A) PROTOCOLS :1) IP Security(IP Sec ) : It consists of the followings:

Transport modeTunnel mode

2) Point to point Tunneling protocol(PPTP):voluntary tunneling method and uses PPP(Point to PointProtocol).


11/56

3 ) Layer 2 Tunneling Protocol : It exists in the DATALINK LAYER OF OSI Model.It is composed of PPTP andL2F(layer 2 forwarding).it isa compulsory tunnelingmethod.

B) SECURITY :

1) Encryption Technique for scrambling and unscrambling informationUnscramble called clear-textScrambled information cipher-text

2) Keys :Secret code that the encryption algorithm uses to create a

unique version of cipher-text 8-bits keys = 256 combinations or two to the eighth

power

16-bits keys = 65,536 combinations or two to the 16 th

power

56-bits keys = 72,057,594,037,927,900 or two to the

56 th power 168-bits keys

3) Authentication: Determine if the sender is the authorized person and

if the data has been redirect or corrupted


12/56

User/System Authentication.

Data Authentication.

c) APPLIANCES:

1) Intrusion detection firewalls

3.3) FIREWALLMonitors traffic crossing network parameters and protectsenterprises from unauthorized

Firewall Definition : A Firewall is a computer programthat monitors the flow of information from the Internet toyour computer. A firewall is a piece of software or

hardware that helps screen out hackers , viruses , andworms that try to reach your computer over theInternet . If you are a home user or small-business user,using a firewall is the most effective and important firststep you can take to help protect your computer.

It is important to turn on your firewall and antivirussoftware before you connect to the Internet.

DIAGRAM: Network with and without afirewall.


13/56

A firewall is a software program or piece of hardware thathelps screen out hackers, viruses, and worms that try toreach your computer over the Internet.

If you use a computer at home , the most effectiveand important first step you can take to help protectyour computer is to turn on a firewall .

If you have more than one computer connected in thehome, or if you have a small-office network , it isimportant to protect every computer. You should havea hardware firewall (such as a router) to protectyour network, but you should also use a software

firewall on each computer to help prevent the spreadof a virus in your network if one of the computersbecomes infected.


14/56

unauthorized access

Packet-level firewall checks source anddestination

PACKET FILTERING FIREWALLS :Packet Filtering is the type of firewall built into theLinux kernel .

A filtering firewall works at the network level . Data isonly allowed to leave the system if the firewall rules allow

it. As packets arrive they are filtered by their type, sourceaddress, destination address, and port informationcontained in each packet. It is as shown in the diagram.

Because very little data is analyzed and logged, filteringfirewalls take less CPU and create less latency in yournetwork.


15/56

Application-level firewall acts as a host computerbetween the organizations network and theInternet

Application firewallsAn applicat ion firewall is a form of firewall whichcontrols input, output or access from, to, or by anapplication or service. It operates by monitoring andpotentially blocking the input, output, or system servicescalls which do not meet the configured policy of thefirewall. The application firewall is typically built tomonitor one or more specific applications or services(such as a web or database service), unlike a which canprovide some access controls for nearly any kind of network traffic. There are two primary categories of application firewalls, network-based applicationfirewalls and host-based application firewalls .

Network-based application firewallsA network-based application layer firewall is a computernetworking firewall operating at the of a protocol stack,and are also known as a proxy-based or reverse-proxyfirewall. Application firewalls specific to a particular kind

of network traffic may be titled with the service name,such as a web application firewall. They may beimplemented through software running on a host or astand-alone piece of network hardware. Often, it is a hostusing various forms of proxy servers to proxy trafficbefore passing it on to the client or server. Because it actson the application layer, it may inspect the contents of the


16/56

traffic, blocking specified content, such as certainwebsites, viruses, attempts to exploit known logical flawsin client software.

Network-based application-layer firewalls work on theapplication level of the network stack (for example, allweb browser, telnet, or ftp traffic), and may intercept allpackets traveling to or from an application. In principle,application firewalls can prevent all unwanted outsidetraffic from reaching protected machines.

Modern application firewalls may also offload encryptionfrom servers, block application input/output from detectedintrusions or malformed communication, manage orconsolidate.

Host-based application firewallsA host-based application firewall can monitor anyapplication input, output, and/or system service callsmade from, to, or by an application. This is done byexamining information passed through system callsinstead of or in addition to a network stack. A host-basedapplication firewall can only provide protection to theapplications running on the same host.

An example of a host-based application firewall whichcontrols system service calls by an application isAppArmor [ or the Mac OS X application firewall.

Host-based application firewalls may also providenetwork-based application firewalling.

3.4)


17/56

CONNECTING REMOTE

OFFICESECURELY WITH VPN

THE CLIENTS PROBLEM/PUZZLE (SOLVED BYREMOTE ACCESS VPN)

A Credit union with a head office and one branch officestored customer records in a database on a server located ina head office. The branch office completed papers made adeposit or withdrawl. These forms were then sent to thehead office for entry into the database which could takeseveral days.

As the number of customers increased then it became

necessary for the branch office to have an immediate accessto the customers transaction details so that accountbalances and loan status information could be provided tocustomers visiting it.

The Methods of CONNECTING REMOTE ACCESS OFFICE

using VPN WITH COMPLETE SECURITY is given as followings:

Installation of VPN Routers : Both offices already hadinternet enabled LANs installed, with the internetconnections provided by broadband ADSL services.


18/56

To provide secure internet based link between branch officeand the head office VPN routers with integral firewalls wereinstalled. personal firewalls were also installed on the servernd the clients computer .

The use of VPNs enables the security of the creditunions customers personal information to beensured when it is transferred via the internet, as theVPN routers provide an encrypted ,direct link for thesecure transmission of data .

TERMINAL SERIVES :the terminal services are to be

installed on the head office and the terminal services clientapplication was installed on the Computers in the branchoffice .

The use of Terminal Services enables the accountmanagement application to be run directly on the headoffice server for all computers, wherever their physical

location. As only the screen image and keyboard strokesneed to travel via a VPN, a fast and BEST secure method forthe branch office to access customer account details in real-time is provided . the diagram of the remote access virtalprivate network is given on the next page:

DIAGRAM : REMOTE ACCESS VPN


19/56

3.5) VPN INSTALLATION

On the Microsoft Windows 2000 VPN computer, confirm thatboth the connection to the Internet and the connection toyour local area network (LAN) are correctly configured.

Click Start , point to Administrative Tools , and thenclick Routing and Remote Access .

Click the server name in the tree, and clickConfigure and Enable Routing and Remote

Access on the Action menu, and then click Next .In the Common Configurations dialog box, clickVirtual private network (VPN server) , and thenclick Next .

In the Remote Client Protocols dialog box, confirmthat TCP/IP is included in the list, click Yes, all of the available protocols are on this list , and thenclick Next .


20/56

In the Internet Connection dialog box, select theInternet connection that will connect to the Internet,and then click Next .

In the IP Address Assignment dialog box, selectAutomatically in order to use the DHCP server onyour subnet to assign IP addresses to dialup clientsand to the server.

In the Managing Multiple Remote Access Serversdialog box, confirm that the No, I don't want to setup this server to use RADIUS now checkbox isselected.

Click Next , and then click Finish .

Right click the Ports node, and then clickProperties .In the Ports Properties dialog box, click the WAN

Miniport (PPTP) device, and then click Configure .In the Configure Device - WAN Miniport (PPTP)

dialog box, do one of the following:

If you do not want to support direct user dialup VPN tomodems installed on the server, click to clear theDemand-Dial Routing Connections (Inbound andOutbound) check box.

If you do want to support direct user dialup VPN tomodems installed on the server, click to select theDemand-Dial Routing Connections (Inbound andOutbound) check box.

Type the maximum number of simultaneous PPTPconnections that you want to allow in the MaximumPorts text box.


21/56

(Fig: Remote Access Virtual Private Network)

3.6) VPN ADVANTAGES :Cost effectiveGreater scalabilityEasy to add or remove users.SecurityMobility


22/56

4. ENHANCED SECURITYONLINE EXAM SYSTEM

USING GROUP CRYPTOGRAPHY

4.1) OVERVIEW:After the Considerable discussion on group protocolsand group-mediated communications to ensuresecure communications among group members. Thisdiscussion has included 2 group models, these are givenas below:

Secure group composition

Secure intragroup communication using the

symmetric key through the Dife-Hellman keyexchange.

Secure intergroup communication using a publickey.

This design problem made by me will show you theimplementation of two groups for securecommunication between distributed entities in theonline exam system . The intergroup communicationis protected through public key infrastructure


23/56

(PKI), while intragroup communication uses severalsymmetric Dife-Hellman keys .

4.2) ABBREVIATIONS:G A = Exam Administrator Group

G E = Examinee (students/users/clients) Group

CT= Examiner

CP = Proctor

CM= Marker

CE = Single examinee/student who has to give the onlineexam

S M = Monitor Server

S S = Scheduler

AA= Exam Administrator Group Agent

AE= Examinee Group Agent

SeCOnE = Secured online exam system


24/56

4.3) ASSUMPTIONS ANDSAFEGUARDS

ASSUMPTIONS:

In this design problem I have initially assumed that Theoperating system of the examinees computers andthe proctors computer is to be Windows XP orWindows 2000 . However, the program semantics are notconned to Windows because the APIs to control theexaminees computer and to handle the multimedia data arealso available in Linux and Unix environments.

EQUIPMENTS or SAFEGUARDS:

The examinees computers should be equipped withWebcams and microphones . High-quality Webcamsare readily available now and are constantly improving.Therefore, the use of Webcams in online exams isnot considered unreasonable .

ARCHITECTURE OF SECURED ONLINEEXAM SYSTEM


25/56

A s shown in the diagram given below, all entities in these cured online exam system per-form their roles asmembers of either group G A or G E. Receives theproblems and the right answers from CT, and thendistributes the problems and collects the answer sheetsfrom Cp . A proctor monitors the examinees through S Musing the monitor data in CE . Through G E, an examineebelonging to and managed by AE , can take the onlineexam. The group agents AE And AA create a set of publicand private keys for each group. They distribute this setof keys to their group members at each exam, and

exchange the public keys with each DIAGRAM-1 :

(Fig 1: the system architecture of secured onlineexam system)

Other. The public key of each group is used forsecure intergroup communications . For securecommunications among group members, they use


26/56


27/56

the examiner is veried through C T with T(i) by theExam Setup Management module in S S . Through theProblem/Answer Management module, the problems, theright answers, and the time allocated to the problems aresaved in the database (DB), which is accessed only by S S .When CE[S(i)] Connects to S S with its identity [S(i)] , andits IP [S(i)] , , the Examiner/Examinee managementmodule sends them to AA and requests the verication of the examinee. As [S(i)] is encrypted with K PU[AA],CE[S(i)] , cannot know its identity nor S S can verify theexaminee. After the verication S(i) saves IP [S(i)] and inthe DB and sends IP [S(i)] to S M. Then, it sends the

problems and the time assigned for the exam to CE[S(i)]through the Exam Process Management module. It isshown in the diagram given below:

DIAGRAM-2 : Scheduler Architecture.

ONLINE EXAM PROCEDURE


28/56

Setup for the Exam Environment:

All examinees down-load CE and install it on theircomputers. One monitor per examinee is assumed. CEruns as a full screen program and closes all portsexcept those required for the online exam andchecks the Webcam and microphone. After theenvironment for the online exam is set up and theexaminee is authenticated, the problem sheet isdistributed. CE opens the problem sheet for

DIAGRAM-a:


29/56

(Fig: A Secure online exam

process)The examinee upon receipt of the message from S Sto start the exam .

Setup of an Online Exam : As shown in the diagram -A

The setup of an online exam initiated by examiner, whichregisters itself to AA( Exam Administrator Group Agent)and receives its temporary identity T(i) in the form of K S[S S, AA] . When an examinee registers with AE(Examinee Group Agent) through CE (Singleexaminee/student who has to give the online exam), he orshe receives S(i) in the form K PU[AA], C E[S(i)] from

AE(Examinee Group Agent) as a member of G E ( Examinee(students/users/clients)Group) and IP [S(s)] .

DIAGRAM-b : A Secure online examset up


30/56

Then, as shown in diagram-A :

CE (Single examinee/student who has to give theonline exam) connects to S S and requests itsauthentication by sending K PU[AA], C E[S(i)] andIP[S(i)] .After CE ( Single examinee/student who has togive the online exam) registers with AE( ExamineeGroup Agent) , AE( Examinee Group Agent) sendsS(i) , IP [S(i)] , D[S(i)] and for CE ( Singleexaminee/student who has to give the online exam)to , AA .

AA sends IP [S(i)] and D[S(i)] to S M to be areference for detecting cheating. When S S noties S Mof IP [S(i)] , S M checks whether the IP is in the IP listof the examinees from AA. If the IP is valid, S M

requests the transmission tests of the monitor datafor the examinee. When the data stream of video,audio, and the screen shots for examinees aretransmitted to S M and successfully saved, a proctorinspects them through CP (Proctor) and decideswhether the online exam environment is ready for theexaminees.


31/56

Control of the Online Exam:

After the online exam is set up, scheduler sends theproblem sheet e [S(i)] , its digital signature s[ G A(Exam Administrator Group )]e [S(i)] signed by G A( Exam Administrator Group) , and the identity of the examiner K PU[AE], T(i) to CE[S(i)] as shownin the diagram-B .

CE[S(i)] checks the integrity of e[S(i)] with s[ G A

(Exam Administrator Group )]e [S(i)] and requestsverication of the examiner by sending K PU[AE], T(i) toCE[S(i)] to AE(Examinee Group Agent).

After verifying that no anomalies exist in the problemsheet, CE sends the ready message to S M. When receivesthe ready message from all the examinees, it sends thestart message to all the CEs. At that point, letsexaminees see the problems one by one. The monitordata for all examinees are transmitted to the monitorserver until the exam ends. CE[S(i)] sends its answersheet a[S(i)] to S S .

S S requests the verication of to and checks theintegrity of the problems and the answers. By checkingthe state of s, manages the state of the online exam to

detect abnormal situations such as faults in statetransition, as shown in diagram-3


32/56

5.2 SITUATION-AFTERCOMPLETING EXAM GRADING AND APPEALING:According to the exam management policy of theSecured online exam ( SeCOnE) system , at the end of the exam or earlier, the answer sheets submitted by theexaminees are delivered to the Exam ProcessManagement module, which saves the answers in the DB,then the Grade Management module marks themwith the correct answers provided by C T. The gradesare also kept in the DB. The answer sheets marked by S Scan be referenced by CM through the Grade Managementmodule when subjective questions are included in theproblems. The grades are distributed to the CEs after allthe examinees have submitted their answer sheets. If anexaminee, whose identity is S(i) , is not satised with hisor her grade G [S(i)], he or she sets up an C[S(i)] appeal to S S through theExam Process Management module. The claim isdelivered to CM through the Claim Managementmodule , and a regarding is initiated. The Time Controlmodule manages the exam time, and the Exam StateManagement module checks the states of all CEsaccording to diagram-3 as shown below .

DIAGRAM-3 : Online exam client state


33/56


34/56

Monitor Server :

As shown in the above diagram-4, when the Examinee

Management module in receives the examinees IP fromit, it prepares a directory to save the monitor data of theexaminee in a le server. The module also veries theexaminee by comparing the IP with that from as shown inFig. 2. The monitor data are saved with the referencephotos for the examinees from ; the photos were takenwhen authenticated the examinees. During or after theexam, a proctor connecting through.

5.3 ) SECURE INTERGROUPCOMMUNICATION

CONTROL MODULE The enhanced security for the online exam iscontrolled through the intergroup communicationbased on PKI , the intragroup communication usingsymmetric keys and the temporary identity. The examadministrative group and the examinee group are setfor every exam.All the entities related to an exam belong to one of thosetwo groups. Agents for the two groups issue the


35/56


36/56

clients send the ready message to the scheduler. Therefore, it is possible for all examinees to take theonline exam simultaneously. If, however, it is difcult forall examinees to take an online exam at the same time,examiners can prepare one set of problems for each of several exam times so that the examinees can choose thetime that suits them best. The grades are marked with thecorrect answers already provided by the examiner andautomatically saved in the database (DB) if no subjectivequestions were asked. The grades, as well as theproblems and the right answers, are kept secure becauseaccess to the DB is restricted to the scheduler. And,

because all examinees computers are restricted fromengaging in Internet communications except for thoserelated to the online exam process, Internet-relatedaccidents in the online exam process should be rare.Completeness of System Modeling : In theSeCOnE system, online exams have been described usingthe same semantics that apply to ofine exams. Throughthe examiner , the person setting the exam can provide

the problems and their right answers. Through themarker, she or he can mark the subjective questions anddecide the nal grades for the examinees. Through theproctor, she or he can supervise the examinees with themonitor data saved in the monitor server in near realtime. The problems, their right answers, and the answersheets from examinees are managed by the scheduler.

The authentication, which traditionally was based only on

a user name and password, is strengthened by the groupmanagement. This process includes verication byWebcam and issuance of temporary identities for everyexam. No entity can know all the information, such as thereal identities of the entities or the cryptographic keys inthe system. This precaution avoids the potential forsystem compromise due to the failure of a single entitybecause of maliciousness or an external attack.


37/56

The SeCOnE system is based on an open architecture, andthe scheduler and the monitor server are scalabledepending on the predicted load for them. Having themonitor data saved in the monitor server reduces theprobability that cheating during an exam will be missed bythe proctor. In this system, more proctors are not requiredas the number of examinees increases, as would be thecase in an off-line exam.

6. IP TABLESiptables is a user space application program thatallows a system administrator to configure the tablesprovided by the Linux kernel firewall (implemented asdifferent Netfilter modules) and the chains and rules itstores.

Iptables is used to set up, maintain, and inspect thetables of IP packet filter rules in the Linux kernel. Severaldifferent tables may be defined. Each table contains anumber of built-in chains and may also contain user-defined chains.

A rate limiting feature that helps iptables

block some types of denial of service (DoS)attacks .

Processing For Packets Routed By The Firewall


38/56

QueueType

QueueFunction

PacketTransformation Chain in

Queue

Chain Function

Filter Packetfiltering

FORWARD

Filters packets to serversaccessible by another NIC on thefirewall.

INPUT Filters packets destined to thefirewall.

OUTPUT Filters packets originating fromthe firewall

Nat NetworkAddress

Transla

tion

PREROUTING

Address translation occurs beforerouting. Facilitates thetransformation of the destinationIP address to be compatible with

the firewall's routing table. Usedwith NAT of the destination IPaddress, also known asdestination NAT or DNAT .

POSTROU TING

Address translation occurs afterrouting. This implies that therewas no need to modify thedestination IP address of thepacket as in pre-routing. Usedwith NAT of the source IP addressusing either one-to-one or many-to-one NAT. This is known as


39/56

source NAT , or SNAT .

OUTPUT Network address translation for

packets generated by the firewall.(Rarely used in SOHOenvironments)

Mangle

TCPheadermodification

PREROUTINGPOSTROU

TING

OUTPUTINPUTFORWARD

Modification of the TCP packetquality of service bits beforerouting occurs. (Rarely used inSOHO environments)

3)iptables preserves the basic ideas introduced into Linux withipfwadm: lists of rules which each specified what to match within apacket, and what to do with such a packet. ipchains added theconcept of chains of rules, and iptables extended this further intotables : one table was consulted .


40/56

IP TABLE COMMANDS

These options specify the specific action to perform. Onlyone of them can be specified on the command line unlessFor all the long versions of the command and optionnames, you need to use only enough letters to ensurethat iptables can differentiate it from all other options.

-A, --append chain rule-specification Append one or more rules to the end of the selected chain. When the sourceand/or destination names resolve tomore than one address, a rule will beadded for each possible addresscombination.

-D, --delete chain rule-specification -D, --delete chain rulenum


41/56

Delete one or more rules from theselected chain. There are two versions of this command: the rule can be specifiedas a number in the chain (starting at 1for the first rule) or a rule to match.

-I, --insert chain [rulenum ] rule-specification Insert one or more rules in the selectedchain as the given rule number.

-R, --replace chain rulenum rule-specification Replace a rule in the selected chain. If the source and/or destination namesresolve to multiple addresses, the

command will fail. Rules are numberedstarting at 1.-L, --list [chain ]

List all rules in the selected chain. If nochain is selected, all chains are listed. Asevery other iptables command, it appliesto the specified table (filter is thedefault), so NAT rules get listed by

iptables -t nat -n -L-F, --flush [chain ]Flush the selected chain (all the chainsin the table if none is given). This isequivalent to deleting all the rules oneby one.

-Z, --zero [chain ]Zero the packet and byte counters in allchains. It is legal to specify the -L, --list(list) option as well, to see the countersimmediately before they are cleared.(See above.)

-N, --new-chain chain Create a new user-defined chain by thegiven name. There must be no target of that name already.


42/56

-X, --delete-chain [chain ]Delete the optional user-defined chainspecified. There must be no referencesto the chain. non-builtin chain in thetable.

-P, --policy chain target Set the policy for the chain to the giventarget. See the section TARGETS for thelegal targets.

PARAMETERS

The following parameters make up a rule specification (asused in the add, delete, insert, replace and appendcommands).-p, --protocol [!] protocol

The protocol of the rule or of the packetto check. The specified protocol can beone of tcp , udp , icmp , or all .

-s, --source [!] address [/ mask ]Source specification. Address can beeither a network name, a hostname(please note that specifying. Thus, amask of 24 is equivalent to255.255.255.0 .

-d, --destination [!] address [/ mask ]

Destination specification. See thedescription of the -s (source) flag for adetailed description of the syntax. Theflag -- dst is an alias for this option.

-j, --jump target This specifies the target of the rule; i.e.,what to do if the packet matches it.


43/56

-g, --goto chain This specifies that the processing shouldcontinue in a user specified chain. Unlikethe --jump option return will not continueprocessing in this chain but instead inthe chain that called us via --jump.

-i, --in-interface [!] name Name of an interface via which a packetwas received (only for packets enteringthe INPUT , FORWARD andPREROUTING chains).

-o, --out-interface [!] name

Name of an interface via which a packetis going to be sent (for packets enteringthe FORWARD , OUTPUT andPOSTROUTING chains). name willmatch. If this option is omitted, anyinterface name will match.

OTHER OPTIONS (in-linux)

The following additional options can be specified:-v, --verbose

Verbose output. This option makes thelist command show the interface name,the rule options (if any), and the TOSmasks.

-n, --numeric Numeric output. IP addresses and port

numbers will be printed in numericformat.

-x, --exact Expand numbers. Display the exactvalue of the packet and byte counters,instead of only the rounded number inK's (multiples of 1000) M's (multiples of


44/56

1000K) or G's (multiples of 1000M). Thisoption is only relevant for the -Lcommand.

--line-numbers When listing rules, add line numbers tothe beginning of each rule,corresponding to that rule's position inthe chain.

--modprobe=command When adding or inserting rules into achain, use command to load anynecessary modules (targets, match

extensions, etc).

Solution for ip table:First of all we have to allow local host access toeverything under that LAN or the network to communicateinternally and the commands for that are as follows

iptables -A INPUT -s 127.0.0.1 -j ACCEPTiptables -A OUTPUT -s 127.0.0.1 -j ACCEPT

1: Allow all traffic from a selection of ip subnets (forexample,allow 192.168.1.0 thru to 192.168.10.0). They shouldhave full accessto all ports.

iptables A INPUT p tcp s 192.168.1.0 sport1024:65535 d 192.168.10.0 dport 1024:65535 mstate --state ESTABLISHED j ACCEPT

iptables A OUTPUT p tcp s 192.168.1.0 sport


45/56

1024:65535 d 192.168.10.0 dport 1024:65535 mstate --state ESTABLISHED j ACCEPT

2. Allow access to port 22 (ssh) and 8001 (weblogic) usingtcp/httptraffic from specific ip address (for example192.168.168.168).

For port 22 (ssh)

iptables -A INPUT -p tcp -m tcp --sport 80 -j ACCEPTiptables -A OUTPUT -p tcp -m tcp --dport 80 -jACCEPTiptables -A INPUT -p tcp --dport 80 -j ACCEPTiptables -A OUTPUT -p udp --sport 80 -j ACCEPT

For port 8001(weblogic)

iptables -A INPUT -p tcp -m tcp --sport 8001 -jACCEPT

iptables -A OUTPUT -p tcp -m tcp --dport 8001 -jACCEPTiptables -A INPUT -p tcp --dport 8001 -j ACCEPTiptables -A OUTPUT -p udp --sport 8001 -j ACCEPT

3. Deny everything else.

iptables -A INPUT -j DROPiptables -A FORWARD -j DROP


46/56


47/56

I m giving here the demonstration how thesystems used in the examination cell can bemade for secure when they are connected to

the server. i.e. client/sever model

Steps:1.Open control panel

2.Control panel is opened and click the option useraccounts and settings


48/56

3.click the option add and remove user (it can createthe user you want) but you should click the optionset up parental control for any user. It is shown asbelow:


49/56

Now it is showing the users which are connected to theadministrator gurpreet.

Here administrator : Gurpreet.

Users are : Garry, RamanSir, Shruti, Vishal,Guest etc.

From here gurpreet is acting as a server for theusers(Garry, RamanSir, Shruti, Vishal,Guest etc) andgurpreet as an server/administrator can click the optionset parental control to the to each user by doing theabove steps.


50/56


51/56

5. Click on the option parental control in order tomake the system more secure for his exam so that useron the RamanSir PC wont be able to access some

application at the time of the exam . it is show theinterface like this:


52/56

6.Now click the option on on enforce current settings As soon as we click this option as mentioned it opens thefollowing windows as given below:

As we click this button then it wil activate the option allow and block specific programs.


53/56

7.click the option allow and block specificprograms. As we click it, it will open a window as givenbelow:

8.Now click the option RamanSir can only use theprograms I allow.

It will open a window like this:

10.Now the application programs in the user computernames RamanSir will be loaded and aserver/administrator can block specific programs which


54/56

he/she doesnt want him/her to use during the onlineexam.

It is shown as below:

It is Shown here that administrator has blocked theprograms for the user (RamanSir) and the blockedprograms are shown in the above diagram by the tickmarks i.e. devc++,acroread.exe etc

Then press ok in order to save the settings.


55/56

CONCLUSION: In the end we can say that in theabove demonstration (client/server model) when all thecomputers(users) will be connected to the

server/administrator through a network model which theuniversity will be using in labs then the administrator canaccess the accounts of all the users and can also

set the read /write permissions to the variouslogical(C/D/E) drives and the various applicationprograms existing in the users systems and also thevarious files/folders which are useful in regard to onlineexam and which are placed in user systems and whichcan be exploited by the students so that they canhave access to that material can be totallycontrolled by the administrator and user on thosesystem wont be able to access that material at all.

Hence this is also a useful way to provide anenhanced security to system in the examinationcell for the online exam .

8. CONCLUSION TO OVERALL

PROBLEMThis design problem basically discuses the need foronline exam and then the various constraints in thehelding the online exams in the various universitiesand after the careful study of the problem I m able tofind the network which will be suitable for theonline exam security and the various enhanced


56/56

group methods (internet group communication andthe intragroup communication methods ) which willmake the user complete safe to user the client computersduring exam with no server error and will be too safe forthe cheating purposes also.

In this solution of design problem all how thesecured online exam systems provides both asecure online exam management and a scheme forthe prevention and detection of cheating using e-monitoring. The measures for preventing and detectingcheating proposed in this paper cover cheating methods

identied for the online exam process via computer orInternet, although it may not address all possible cheatingmethods. The solution designed by me is targetedtowards exams administered through the Internetat a xed time with one problem set , but withoutany restriction on the exam location . A powerfulfeature is that secure online exam can be appliedto an exam administered at different times. In this

case, the examiner should prepare as many problemsets as there are exam times, in order to preventcheating during the exam . One overhead cost for thissystem is in the preparation of the equipment, such asWebcams and microphones, to monitor and toauthenticate the entities .

Documents

Gurpreet Singh Roll No 17 FINAL-DP