Laboratory Exercises VII: Network Firewalls



Similar documents
Laboratory Exercises V: IP Security Protocol (IPSec)

Lab Configuring Access Policies and DMZ Settings

Lab Configuring Access Policies and DMZ Settings

Biznet GIO Cloud Connecting VM via Windows Remote Desktop

CS 326e F2002 Lab 1. Basic Network Setup & Ethereal Time: 2 hrs

Multi-Homing Dual WAN Firewall Router

Lab PC Network TCP/IP Configuration

PT Activity 8.1.2: Network Discovery and Documentation Topology Diagram

Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme. Firewall

Chapter 15: Advanced Networks

Chapter 6 Configuring the SSL VPN Tunnel Client and Port Forwarding

Configuring MassTransit Server to listen on ports less than 1024 using WaterRoof on Macintosh Workstations

(1) Network Camera

12. Firewalls Content

Quick Note 026. Using the firewall of a Digi TransPort to redirect HTTP Traffic to a proxy server. Digi International Technical Support December 2011

Firewall VPN Router. Quick Installation Guide M73-APO09-380

Quick Installation Guide Network Management Card

Installation Notes for Outpost Network Security (ONS) version 3.2

Connecting your Virtual Machine to the Internet. BT Cloud Compute. The power to build your own cloud solutions to serve your specific business needs

DSL-G604T Install Guides

Step-by-Step Configuration

Step-by-Step Guide for Setting Up IPv6 in a Test Lab

CCProxy. Server Installation

Information Security Practice II. Installation and set-up of Web Server and FTP accounts

How to Setup PPTP VPN Between a Windows PPTP Client and the DIR-130.

LAB THREE STATIC ROUTING

CIS 4361: Applied Security Lab 4

Connect the Host to attach to Fast Ethernet switch port Fa0/2. Configure the host as shown in the topology diagram above.

Part A:Background/Preparation

Computer Networks I Laboratory Exercise 1

1 PC to WX64 direction connection with crossover cable or hub/switch

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

USER MANUAL GUIMGR Graphical User Interface Manager for FRM301/FRM401 Media Racks

STATIC IP SET UP GUIDE VERIZON 7500 WIRELESS ROUTER/MODEM

WhatsUpGold. v3.0. WhatsConnected User Guide

User guide. Business

How To Set Up A Network Map In Linux On A Ubuntu 2.5 (Amd64) On A Raspberry Mobi) On An Ubuntu (Amd66) On Ubuntu 4.5 On A Windows Box

Lab Developing ACLs to Implement Firewall Rule Sets

D-Link DAP-1360 Repeater Mode Configuration

SETTING UP REMOTE ACCESS ON EYEMAX PC BASED DVR.

SNMP Manager User s Manual

Configuring Network Load Balancing with Cerberus FTP Server

Immotec Systems, Inc. SQL Server 2005 Installation Document

Lab Configure and Test Advanced Protocol Handling on the Cisco PIX Security Appliance

LAN TCP/IP and DHCP Setup

Step-by-Step Setup Guide Wireless File Transmitter FTP Mode

HOWTO: How to configure IPSEC gateway (office) to gateway

Step-by-Step Setup Guide Wireless File Transmitter FTP Mode

Pre-lab and In-class Laboratory Exercise 10 (L10)

Setting up an MS SQL Server for IGSS

FortKnox Personal Firewall

How to setup PPTP VPN connection with DI-804HV or DI-808HV using Windows PPTP client

In this lab you will explore the Windows XP Firewall and configure some advanced settings.

How to Prevent Children from Browsing Improper Web Page within the Time Limit Step 1: Get the MAC Address of the Computer that Children Use

User Manual. Page 2 of 38

How To Configure Apple ipad for Cyberoam L2TP

School of Information Science (IS 2935 Introduction to Computer Security, 2003)

Chapter 3 LAN Configuration

REQUIREMENTS AND INSTALLATION OF THE NEFSIS DEDICATED SERVER

CC File Transfer. User Manual

To Configure Network Connect, We need to follow the steps below:

Using Virtual PC 7.0 for Mac with GalleryPro

Security Technology: Firewalls and VPNs

ISERink Installation Guide

Firewalls. CEN 448 Security and Internet Protocols Chapter 20 Firewalls

Lab - Configure a Windows XP Firewall

Classroom Management network FAQ and troubleshooting

Step-by-Step Setup Guide Wireless File Transmitter FTP Mode

AIMMS The Network License Server

How To Industrial Networking

Remote PC Guide Series - Volume 1

DEPLOYMENT OF I M INTOUCH (IIT) IN TYPICAL NETWORK ENVIRONMENTS. Single Computer running I m InTouch with a DSL or Cable Modem Internet Connection

Chapter 4 Customizing Your Network Settings

Module 8. Network Security. Version 2 CSE IIT, Kharagpur

Using. Microsoft Virtual PC. Page 1

FIREWALL ARCHITECTURES

Lab - Using Wireshark to View Network Traffic

SuperLumin Nemesis. Administration Guide. February 2011

Single Product Review - Bitdefender Security for Virtualized Environments - November 2012

Load Balancing. Outlook Web Access. Web Mail Using Equalizer

Prestige 202H Plus. Quick Start Guide. ISDN Internet Access Router. Version /2004

Configuration Guide. BES12 Cloud

Load Balancing Smoothwall Secure Web Gateway

SecuraLive ULTIMATE SECURITY

What is a Firewall? A choke point of control and monitoring Interconnects networks with differing trust Imposes restrictions on network services

Lab Conducting a Network Capture with Wireshark

Deploying Windows Streaming Media Servers NLB Cluster and metasan

Load Balancing Web Proxies Load Balancing Web Filters Load Balancing Web Gateways. Deployment Guide

Chapter 9 Monitoring System Performance

Preparing the Windows version of the software for use

What would you like to protect?

Broadband Router ESG-103. User s Guide

Implementing Network Address Translation and Port Redirection in epipe

1 Axis camera configuration IP configuration Setting up date and time Installing an IPS Analytics Application...

Implementing, Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure

ShadowControl ShadowStream

RADAR NETWORK SETUP WITH WINDOWS XP/VISTA

Name Services (DNS): This is Quick rule will enable the Domain Name Services on the firewall.

DRO-210i LOAD BALANCING ROUTER. Review Package Contents

Transcription:

Laboratory Exercises VII: Network Firewalls Dr. sc. Mario Cagalj FESB, University of Split, Croatia January 26, 2010 Our goal in this exercise is to experiment with the basic network firewall architectures. Your tasks include setting up a virtual routed network, configuring a simple (yet powerful) packet filtering firewall, configuring a simple proxy server, and testing realized architectures. You will also learn how to create a multi-domain, multi-site testbed (routed) network when you have only a limited set of computers (e.g., a single singlehomed machine) available at your disposal. IMPORTANT: Before proceeding with exercises, you will organize into (3 person) teams (groups) as shown on the map in Figure 1. Please note down (remember) the number (identifier) of the group that you belong to, as well as the corresponding computer identifiers (PC 1, PC 2, etc.) this is important for later reference. South PC 1 PC 2 PC 1 PC 2 PC 3 Row 1 Group 1 Group 2 PC 1 PC 2 PC 3 PC 1 PC 2 PC 3 Row 2 Group 3 Group 4 PC 1 PC 2 PC 3 PC 1 PC 2 PC 3 Row 3 Group 5 Group 6 Figure 1: Map of the laboratory and corresponding groups 1

Exercise 1 Answer the following questions. 1. We will be using ipfw network firewall. An ipfw ruleset includes a default rule which says: allow ip from any to any. Which one of the basic firewall design policies ipfw firewall implements? 2. Contrast (compare) the default design policy of ipfw with other policies. 3. What are basic types of firewalls? Briefly describe each type. 4. Which of the following choices do not scale well: (a) stateful inspection (b) application gateway (c) packet filters? Explain why? 5. Circuit-level gateway operates (monitors) at the application layer? Correct or not? 6. What is the basic security issue (problem) with the screening router architecture? 7. In the screened host firewall architecture (slide 27), what is the role of the screening router? 8. What is the advantage of the dual-home gateway architecture compared to the screened host architecture? Exercise 2 In this exercise each group from Figure 1 will set up a routed network that consists of two works as shown in Figure 2 (the testbed network). Each different group i (i=1,2,,6) should set the value of x in the corresponding IP addresses to i (e.g., for group 3, IP address 10.0.X.2 reads 10.0.3.2). Please note that the testbed network is a basis for all later (firewall related) exercises, and you should carefully test your setup (using ping and tracert commands) before moving on to next exercise. 2

15.0.X.2 Station 2 Station 1 10.0.X.2 10.0.X.1 Router 15.0.X.1 Station 3 10.0.X.0/24 15.0.X.3 15.0.X.0/24 Figure 2: Targeted testbed network (for Group X) The targeted testbed network can be summarized as follows: It has two works 10.0.X.0/24 and 15.0.X.0/24 joined by a router. The router a network interface 10.0.X.1 on one and an interface 15.0.X.1 on another. Subnet 10.0.X.0 (an external network) has one WinXP host on it with the IP address 10.0.X.2. Subnet 15.0.X.0 (an internal network) has two WinXP hosts on it with the IP addresses 15.0.X.2 and 15.0.X.3. Setting Up the Testbed Network IMPORTANT: If you are not sure what you have to do at any of the following steps, please do contact the professor or the assistant. Task 2.1. Introduction Virtual PCs and Emulated Network Adapters We can see from Figure 2 that the testbed network comprises four devices, while each group in Figure 1 has at most three PCs in it. Moreover, a router should be equipped with at least two network interfaces (adapters, controllers - NICs). How can we then realize the required tesbed network in this setting? Thanks to Microsoft Virtual PC, we can create and run one or more virtual machines, each with its own operating system (Windows, Unix), on a single computer. In addition, with Virtual PC we can specify and configure up to four emulated network adapters to be used for the virtual machine. Thus, using Virtual PC we can easily emulate all stations and routers (multihomed virtual PCs) required for our testbed network. In our exercises, computers with the identifier PC 3 (see Figure 1) will emulate Station 3 and the router in Figure 2. More precisely, the host operating system (OS) on the PC 3 will be configured as Station 3 and the virtual machine created on PC 3 will be configured as the router. Finally, PC 1 3

and PC 2 will act as Station 1 and Station 2, respectively. This holds for all the groups except group 1 which has only 2 computers. GROUP 1 ONLY: PC 1 will act as Station 1, a virtual machine (installed on PC 2) named Virtual PC 2 will act as a Station 2, another virtual machine on PC 2 will be configured as the router (Router). Finally, the host operating system on the PC 2 will be configured as Station 3. In summary, physical PC 2 (in group 1) will host 2 virtual machines. Task 2.2. Setting Up the Router Recall from Task 2.1, the router in Figure 2 will be emulated using a virtual machine installed on the computer with identifier PC 3. To start the virtual machine Router, in the Start menu on PC 3 choose ( click ) Microsoft Virtual PC to open Virtual PC Console window as shown in Figure 3. Click Start button to start virtual machine Router. Figure 3: Virtual PC Console Configure (two virtual) network adapters using the addresses indicated in Figure 2. In other words, you have to configure the TCP/IP properties for each connection on Router virtual machine started in the previous step: Local Area Connection and Local Area Connection 2. Open Regedit.exe on Router virtual machine, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Para meter and set the value of IPEnableRouter to 1. Restart the virtual machine Router for this changes to take effect. Do not restart the host machine PC 3. At this stage, you have turned your multi-homed virtual machine Router into a router. Task 2.3. Setting Up the Stations Configure network adapters (the TCP/IP properties for each connection) on physical computers PC 1 and PC 2 using the addresses indicated in Figure 2. 4

Recall, PC 1 and PC 2 will act as Station 1 and Station 2, respectively. Finally, the host operating system on physical PC 3 will be configured as Station 3. GROUP 1 ONLY: Virtual PC 2 will be configured as Station 2. The host operating system on physical PC 2 will be configured as Station 3. Task 2.4. Testing your Setup Test your setup by using the ping command to ping any host (station) in one from any host in the other. Provide evidence that you have set up the required network topology (Figure 2) use tracert command for this purpose. Make sure that you have turned off WinXP personal firewalls on all the machines (including virtual machines). Exercise 3 The goal is to configure a packet filtering firewall ipfw (ip firewall), hosted by Router virtual machine, in such a way to block and/or allow certain type of traffic over the tesbed network. By installing a packet filter on the router, we have turned it into a screening router. Ipfw firewall supports both the command mode and the graphical mode of operation. Its use is self-explanatory, in particular in the graphical mode (see Figure 4). For detailed information you can consult README.TXT file accompanying ipfw installation in folder c:\ipfw. Figure 4: ipfw GUI In the graphical mode it is fairly easy to define different firewall rules. You start by clicking on the New rule button and the remaining steps are self-explanatory. Before defining and running your own rules for the first time, flush (remove) any existing rules. Observe in Figure 4 that it is possible to define and install multiple rules simultaneously (a ruleset). Also, observe that an ipfw ruleset always includes a 5

default rule (numbered 65535) which cannot be modified or deleted, and matches all packets. Task 3.1. Starting the Firewall Browse to the folder c:\ipfw. Execute install.bat or install-deny.bat in order to install the firewall with allow all or deny all default policy, respectively. Use uninstall.bat to uninstall the firewall. Browse to the folder c:\wipfw and execute qtfw.exe to get a graphical view (Figure 4). Task 3.2. Implementing a Security Policy 1 Station 2 Station 1 flow 1 Router Station 3 flow 2 10.0.X.0/24 15.0.X.0/24 Figure 5: Network flows to block/allow Consider the flows shown in Figure 5. Your task is to define, install and test a firewall rulset that implements the following policies (provide some evidence that your ruleset indeed implements the policies for example, you can use traces obtained from Network Monitor tool): 1. Block ICMP flow 1 (ping) from Station 1 and allow ICMP flow from Station 2. 2. Allow ICMP flow 2 (ping) from Station 1 and block ICMP flow 2 from Station 3. 3. Block both ICMP flow 1 and flow 2 from any IP address on the external network (10.0.X.0) and allow both ICMP flow 1 and flow 2 originating from the internal network. Task 3.3. Implementing a Security Policy 2 Station 3 hosts both a web server and an ftp server. Make sure that you can access them (e.g., ftp 15.0.X.3 and using a web browser try http://15.0.x.3). Your task is 6

to define and install a firewall rulset that implements the following policies (provide some evidence that your ruleset indeed implements the policies): 1. Allow access to the web server and block access to the ftp server from Station 1. 2. Block access to the web server and allow access to the ftp server from any computer on the external network. Task 3.4. Answer the Following Questions 1. Assume that Station 2 in Figure 5 represents a bastion host. How do we call the resulting firewall architecture (system)? 2. Is it possible to define firewall rules on the router, in the configuration in Figure 5, such that we block all traffic between Station 2 and Station 3? Explain your answer. 3. What is the problem with the first policy from Task 3.2? (Hint: Think how can a ping still reach Station 2 from the 10.0.X.0.) Exercise 4 In this exercise your task is to implement the policy depicted in Figure 6: Station 1 should only be able to access the web/ftp server via the application proxy (CCProxy) that is hosted by Station 2 no direct connection between any external computer and the servers is allowed. Station 2 Station 1 Router Station 3 Proxy server 10.0.X.0/24 15.0.X.0/24 WEB/FTP server Figure 6: Network flows to block/allow In the first step you have to configure the proxy server hosted by Station 2. From the start menu start proxy server CCProxy (Figure 7). By clicking on Account button you will open Account Manager window. Account Manager allows you to configure the server proxy to control the access to the proxy server based on the number of authentication methods (MAC, IP address, password based, different combinations). 7

Account manager is fairly simple it is self-explanatory (however, if you do not feel comfortable with it, please do contact the professor or the assistant). Figure 7: CCProxy GUI Please note that you will have to configure a web browser on Station 1 so that it uses Station 2 as a proxy server for accessing the web/ftp server. Your task is to define and install a firewall ruleset and configure the proxy server such that: 1. Station 1 is denied a direct access to the web/ftp server. 2. Only Station 1 is authorized to access the web/ftp server, but through the proxy server. Provide some evidence that your setup works properly (use Network Monitor). Also explain the following observation: Station 2 is not configured as a router. Still, Station 1 connects to the web/ftp server through Station 2. How does it work? (Hint: You may want to use Network Monitor at Station 2 and observe what happens during connection establishment.) 8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information