Lab assignment #2 IPSec and VPN Tunnels (Document version 1.1)



Similar documents
Lab assignment #1 Firewall operation and Access Control Lists

Configuring the PIX Firewall with PDM

Establishing a VPN tunnel to CNet CWR-854 VPN router using WinXP IPSec client

CREATING AN IKE IPSEC TUNNEL BETWEEN AN INTERNET SECURITY ROUTER AND A WINDOWS 2000/XP PC

Netgear ProSafe VPN firewall (FVS318 or FVM318) to Cisco PIX firewall

Chapter 8 Lab B: Configuring a Remote Access VPN Server and Client

1 PC to WX64 direction connection with crossover cable or hub/switch

Creating a Gateway to Client VPN between Sidewinder G2 and a Mac OS X Client

Configuring an IPSec Tunnel between a Firebox & a Check Point FireWall-1

Configuring Check Point VPN-1/FireWall-1 and SecuRemote Client with Avaya IP Softphone via NAT - Issue 1.0

CS 326e F2002 Lab 1. Basic Network Setup & Ethereal Time: 2 hrs

Scenario: IPsec Remote-Access VPN Configuration

How To Industrial Networking

Connect the Host to attach to Fast Ethernet switch port Fa0/2. Configure the host as shown in the topology diagram above.

Lab 4.4.8a Configure a Cisco GRE over IPSec Tunnel using SDM

Lab Configuring Access Policies and DMZ Settings

Configuring a Check Point FireWall-1 to SOHO IPSec Tunnel

Lab - Configure a Windows Vista Firewall

How To Set Up A Vpn Tunnel Between Winxp And Zwall On A Pc 2 And Winxp On A Windows Xp 2 On A Microsoft Gbk2 (Windows) On A Macbook 2 (Windows 2) On An Ip

Setting up VPN Access for Remote Diagnostics Support

Lab Exercise Configure the PIX Firewall and a Cisco Router

This chapter describes how to set up and manage VPN service in Mac OS X Server.

Note: This case study utilizes Packet Tracer. Please see the Chapter 5 Packet Tracer file located in Supplemental Materials.

Firewall VPN Router. Quick Installation Guide M73-APO09-380

Lab Configuring Access Policies and DMZ Settings

Lab a Configure Remote Access Using Cisco Easy VPN

Objectives. Background. Required Resources. CCNA Security

Use Shrew Soft VPN Client to connect with IPSec VPN Server on RV130 and RV130W

Configure ISDN Backup and VPN Connection

Configuring Devices for Use with Cisco Configuration Professional (CCP) 2.5

Multi-Homing Dual WAN Firewall Router

How To Configure L2TP VPN Connection for MAC OS X client

Network/VPN Overlap How-To with SonicOS 2.0 Enhanced Updated 9/26/03 SonicWALL,Inc.

Lab 8.3.3b Configuring a Remote Router Using SSH

Allworx Installation Course

Preparing the Computers for TCP/IP Networking

Phone: Fax: Box: 230

Setting Up Scan to SMB on TaskALFA series MFP s.

Windows Server 2008 R2 Initial Configuration Tasks

How To Connect To Ecs.Org From A Pc Or Mac Or Ipad (For A Laptop) With A Network Connection (For Mac) With The Ipad Or Ipa (For Pc Or Ipac) With An Ipa Or Ip

Guideline for setting up a functional VPN

SSL VPN Service. Once you have installed the AnyConnect Secure Mobility Client, this document is available by clicking on the Help icon on the client.

MFC6490CW Windows Network Connection Repair Instructions

Configuring IPsec VPN with a FortiGate and a Cisco ASA

Configuring PDM. Starting PDM with Internet Explorer CHAPTER

Lab - Configure a Windows 7 Firewall

Chapter 10 Troubleshooting

Technical Notes TN 1 - ETG FactoryCast Gateway TSX ETG 3021 / 3022 modules. How to Setup a GPRS Connection?

PT Activity: Configure Cisco Routers for Syslog, NTP, and SSH Operations

VPN Quick Configuration Guide. Astaro Security Gateway V8

Astaro Security Gateway V8. Remote Access via L2TP over IPSec Configuring ASG and Client

Remote Access for Cisco Unity 8.x

MFC7840W Windows Network Connection Repair Instructions

Chapter 6 Basic Virtual Private Networking

Configuring SSH Sentinel VPN client and D-Link DFL-500 Firewall

StarMOBILE Network Configuration Guide. A guide to configuring your StarMOBILE system for networking

Configuring IPSec VPN Tunnel between NetScreen Remote Client and RN300

How to Setup and Connect to an FTP Server Using FileZilla. Part I: Setting up the server

TELNET CLIENT 5.11 SSH SUPPORT

VPN Configuration Guide. ZyWALL USG Series / ZyWALL 1050

How To Set Up A Backupassist For An Raspberry Netbook With A Data Host On A Nsync Server On A Usb 2 (Qnap) On A Netbook (Qnet) On An Usb 2 On A Cdnap (

Manual Wireless Extender Setup Instructions. Before you start, there are two things you will need. 1. Laptop computer 2. Router s security key

Skills Assessment Student Training Exam

SonicWALL Global Management System Configuration Guide Standard Edition

VPN Consortium Scenario 1: Gateway-to-Gateway with Preshared Secrets

ASA 8.X: Routing SSL VPN Traffic through Tunneled Default Gateway Configuration Example

OpenVPN over SSH tunneling

Lab 1: Network Devices and Technologies - Capturing Network Traffic

OvisLink 8000VPN VPN Guide WL/IP-8000VPN. Version 0.6

School of Information Science (IS 2935 Introduction to Computer Security, 2003)

1 Basic Configuration of Cisco 2600 Router. Basic Configuration Cisco 2600 Router

Lab Configuring PAT with SDM and Static NAT using Cisco IOS Commands

How To Configure Apple ipad for Cyberoam L2TP

Configuration Professional: Site to Site IPsec VPN Between Two IOS Routers Configuration Example

ZyWALL 5. Internet Security Appliance. Quick Start Guide Version 3.62 (XD.0) May 2004

3.1 Connecting to a Router and Basic Configuration

Intel vpro. Technology-based PCs SETUP & CONFIGURATION GUIDE FOR

your Gateway Windows network installationguide b wireless series Router model WBR-100 Configuring Installing

Projetex 9 Workstation Setup Quick Start Guide 2012 Advanced International Translations

HOW TO CONFIGURE CISCO FIREWALL PART I

Internet Access to a DVR365

Table of Contents. Cisco Configuring IPSec Cisco Secure VPN Client to Central Router Controlling Access

Network Load Balancing

Deployment Guide: Transparent Mode

Connecting to HomeRun over the Web

Lab Configure Remote Access Using Cisco Easy VPN

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Fortinet Firewall. Overview

How to setup a VPN on Windows XP in Safari.

Keying Mode: Main Mode with No PFS (perfect forward secrecy) SA Authentication Method: Pre-Shared key Keying Group: DH (Diffie Hellman) Group 1

Stealth OpenVPN and SSH Tunneling Over HTTPS

Lab Configure Basic AP Security through IOS CLI

REMOTE ACCESS VPN NETWORK DIAGRAM

Install and configure SSH server

Basics of Port Forwarding on a Router for Security DVR s

Campus VPN. Version 1.0 September 22, 2008

Astaro User Portal: Getting Software and Certificates Astaro IPsec Client: Configuring the Client...14

Qvis Security Technical Support Field Manual LX Series

Technical Support Information

Transcription:

University of Pittsburgh School of Information Science IS2820/TEL2813 - Security Management Lab assignment #2 IPSec and VPN Tunnels (Document version 1.1) Lab GSA: Carlos Caicedo Page I. Lab resources for this assignment... 1 II. Preliminary questions... 2 III. Bibliographical references... 2 IV. Setup Description:... 3 V. Lab Objective... 4 A. Part A:... 4 B. Part B:... 4 VI. Technical details... 5 A. Address pools... 5 B. IP addresses for the PIX firewalls... 5 C. Routing information and default route settings... 5 D. VPN Tunnel parameters... 6 E. Connecting to and configuring the PIX firewalls... 6 F. Erasing previous configurations on the PIX firewall... 6 G. Log in for the Windows Vista machines... 7 H. Establishing a FTP session... 7 I. Establishing a Telnet Session... 7 J. Running Wireshark to capture packets... 8 VII. Lab report... 8 I. Lab resources for this assignment 2 PIX 501 Firewalls (PIX1, PIX2) 5 Windows Vista PCs (SECURITY02, 05, 06, 07, 10) 2 Cisco WS 2940 Workgroup switches (glswitch1, glswitch2) 1 Cisco WS 3550 switch/router 1 Hub Cables and patch cords IPSec and VPN tunnels 1

II. Preliminary questions You must have submitted the answers to these questions before you attempt to do the lab assignment. The GSA or course instructor will give you the dates for submission of the answers to these questions and of the lab report. 1. What are the benefits or disadvantages of VPNs? Briefly mention the ways in which VPNs can be implemented. 2. What is IPSec? Briefly describe the operation modes of IPSec. 3. What are the setup phases of the ISAKMP/IKE protocol? a. Describe each of them. b. What information is required during each phase? c. What commands are useful to setup ISAMP/IKE on a PIX? III. Bibliographical references These are some references you can use to prepare for this lab. They are available online via PittCat. Title: Cisco security specialist's guide to PIX Firewall Author: Osipov, Vitaly. Published: Rockland, Mass. : Syngress Pub., c2002. Read: Chapter 7 Title: CCSP Cisco Secure PIX firewall advanced exam certification guide Author: Bastien, Greg. Published: Indianapolis, IN : Cisco Press, c2003. Read: Chapters 11 and 12 IPSec and VPN tunnels 2

IV. Setup Description: The network structure for this lab is shown in figure 1. All computers shown have the IP addresses displayed in the figure and are configured as FTP and Telnet servers. Figure 1 Node Computer Label IP address Comments PC1 SECURITY07 10.10.10.2 Node in the private network LAN1 PC2 SECURITY06 ------------ Node in the public network PC3 SECURITY10 10.10.3.2 Node in the private network LAN2 PC4 SECURITY05 192.168.35.7 Node in the public network PC5 SECURITY02 ------------ This computer will be used as the configuration terminal (not shown in figure 1) IPSec and VPN tunnels 3

V. Lab Objective You must establish an IPSec VPN tunnel between the two firewalls (PIX1 and PIX2) so that the traffic that flows through the tunnel from LAN1 to LAN2 is encrypted and cannot be interpreted by any intruder in the public network. Note: No certificate authority is required for this lab. Read all sections of this document so that you are informed of the details of the tasks that you ll have to perform and the methods you ll use to perform them. A. Part A: Requirements 1. Allow telnet access to PC1 from any PC outside LAN1. a. PC1s true IP address should not be revealed so it is recommended that you create a static NAT entry for PC1 2. Configure NAT in PIX 1 and PIX2 3. Establish a telnet session from PC3 to PC1 and capture the session s traffic with Wireshark on PC2 (The Intruder s PC). Login from PC3 to PC1 with your StudentAdmin account. Tasks 1. Analyze the captured traffic and determine the packets in which the StudentAdmin s account password is being sent. Compliance criteria for Part A: 1. Users from the networks outside LAN1 (PC3 and PC4) can telnet to PC1 2. Traffic from the private network that goes into the public network must not reveal the private network s IP addresses. 3. The traffic flow between LAN 1 and LAN 2 can be captured for your analysis. B. Part B: Requirements 1. Reconfigure PIX1 and PIX2 to establish an IPSec VPN tunnel between them that will secure traffic flowing from LAN1 to LAN2. This means, securing traffic that will flow between networks 10.10.10.0 and 10.10.3.0 Note: For true VPN functionality, NO address translation must affect traffic flow between LAN1 and LAN2 ONLY. Additionally, services on LAN1 and LAN2 should work for any user of either LAN. 2. Establish a telnet session from PC3 to PC1 and capture the session s traffic with Wireshark on PC2. Login from PC3 to PC1 with your StudentAdmin account. IPSec and VPN tunnels 4

Tasks 1. Analyze the captured traffic and determine the differences with the packets captured for a similar session in part A. 2. Can you access any service on the PCs of LAN1 or LAN2 from PC4? Can the PCs from either LAN access services on PC4? What does this tell you about the security of the VPN tunnel you have configured? Compliance criteria for Part B: 1. Telnet and FTP access among the computers on LAN1 and LAN 2 works. (PC1 can Telnet to PC3 and vice versa, PC1 can FTP to PC3 and vice versa) 2. The captured traffic flow between LAN1 and LAN2 shows encrypted packets. VI. Technical details A. Address pools LAN1 s internal (private) address pool for its network is 10.10.10.0 with a netmask of 255.255.255.0 LAN1 s external (public) address pool is 192.168.2.1 192.168.2.63 However, 192.168.2.1 has to be assigned to PIX1 s outside interface LAN2 s internal (private) address pool for its network is 10.10.3.0 with a netmask of 255.255.255.0 LAN2 s external (public) address pool is 192.168.10.1 192.168.10.63 However, 192.168.10.1 has to be assigned to PIX2 s outside interface B. IP addresses for the PIX firewalls PIX1 Inside interface : 10.10.10.1 Outside interface: 192.168.2.1 (Use the hostname command to provide a name to the firewall name to pix1) hostname pix1 sets the PIX2 Inside interface : 10.10.3.1 Outside interface: 192.168.10.1 (Use the hostname command to provide a name to the firewall) C. Routing information and default route settings Traffic between LAN1 and LAN2 has to go through a public routed network in this assignment. The routing settings for this network have been set for you but you must take care of indicating the correct default gateways to the firewalls that will take care of the traffic of LAN1 and LAN2 as follows: IPSec and VPN tunnels 5

On PIX1 set the default gateway to be 192.168.2.65 On PIX2 set the default gateway to be 192.168.10.65 D. VPN Tunnel parameters Use only ESP since traffic is going through a public network. Use pre-shared keys for device authentication. The key can be a string of characters and numbers selected by you. Example: cisco123. For encryption use DES only. All other parameter values (DH group, HMAC standard, etc) should be chosen by each student group. E. Connecting to and configuring the PIX firewalls You will be configuring two PIX firewalls with one configuration terminal (PC5). In order to connect the configuration terminal to the appropriate firewall you will have to move the selector knob in the data switch box that you ll find in the lab. If you position the selector knob in the A position the configuration terminal will be connected to the PIX1 firewall. To connect to the PIX2 firewall, move the selector knob to the C position. Do not tamper with the cables connected to the data switch, just move the selector knob. Once you have selected the firewall that you want to configure, you can activate a configuration terminal on PC5 by double clicking on the icon of the application called putty which should be in the desktop of PC5 s Windows Vista environment. Once activated, double click on the Security Lab session configuration to connect to the PIX. You might have to press the Enter key several times to wake up the connection. F. Erasing previous configurations on the PIX firewall Before starting to configure the PIX firewall you should erase any previous configuration already stored on it so that you can start your work from an unconfigured system. To do this enter privileged mode on the PIX firewall and use the following commands: write erase reload These commands erase the current configuration from the flash memory of the PIX and reboot the firewall. To start configuring the PIX answer yes to any prompt that shows up except for the one that says Pre-configure PIX Firewall now through iterative prompts? to which you should answer no. IPSec and VPN tunnels 6

After all this you ll be left at the prompt of the unprivileged mode of the PIX. Since there is no configuration stored on it, the enable (privileged mode) password is blank. When asked for the enable password just press the Enter key. When you have finished this lab assignment, erase the configuration that you have provided to the PIX firewall so the next student team will also start from an unconfigured system. G. Log in for the Windows Vista machines For your work in this lab you will use the username StudentAdmin with password security on all Windows Vista based machines. H. Establishing a FTP session To establish a FTP session from machine A to machine B do the following: 1. Open a command screen from machine A: Press and hold the Windows key while also pressing the key for the letter R. The Run command window should open. Write cmd in the Run command window. A black text based command screen window should open up. 2. On the command screen start a FTP session to machine B by executing: ftp <ip_address_of_machine_b> 3. Login as user anonymous, there is no password so you can press the Enter key at the password prompt. 4. When you want to logout of the FTP server type quit I. Establishing a Telnet Session To establish a Telnet session from machine A to machine B do the following: 1. Open a command screen from machine A: Press and hold the Windows key while also pressing the key for the letter R. The Run command window should open. Write cmd in the Run command window. A black text based command screen window should open up. 2. On the command screen start an FTP session of machine B by executing: telnet <ip_address_of_machine_b> 3. You don t need to write your account and password information. These have been pre-configured for you. In this session you will be logging in to Machine B you re your StudentAdmin account. The system will give you a message asking you if you want to send your password information, type y (for yes) to proceed. IPSec and VPN tunnels 7

4. Although the screen might not change substantially, you can verify that you are connected to Machine B because its IP address will be displayed in the upper right hand corner of the Telnet window. 5. When you want to exit the telnet session type exit. J. Running Wireshark to capture packets The software application Wireshark is installed on all computers of the security lab. However for this lab you will only need to activate it in PC2. To activate Wireshark and start a packet capture, do the following: 1. Login into each machine as StudentAdmin 2. Activate the Wireshark icon that is on the Desktop 3. Go to the Capture menu and click on the OK button to start the packet capture. A capture progress window should pop-up. 4. Once enough packets have been captured or enough time has elapsed, click on the Stop button. Capture only the packets you need in order to make your analysis easier. 5. Once you have stopped the packet capture, you should be able to recognize three different screen sections: The packet list section (upper section), the packet details section (middle section) and the packet bytes section (lower section). Each time you select a packet in the packet list section the other two sections will change accordingly. You can now analyze the captured packets as you wish. Note: The Filter: text field on the main screen allows you to specify which packets should be displayed on the packet list section of the screen. Use this to get a view of only those packets that you are interested in. For example, if you write telnet in this field you will only see the packets related to a captured telnet session. VII. Lab report The lab report for this assignment should include. 1. Printout or screen capture of one of the packets captured with Wireshark for part A and another for part B. 2. Include the configuration file that satisfies the requirements of Part A and the configuration file that satisfies the requirements of Part B (or a list of changes that you had to do to Part A s configuration). Include a list of the VPN parameters that were chosen by you and their respective values. 3. Explain the information contained in at least one of the packets that relate to task 1 of part A 4. Write down the analysis you completed for task 1 of part B 5. Answer the questions mentioned in task 2 of part B IPSec and VPN tunnels 8

Tip: To capture the configuration of the firewall, open a Terminal connection through the console port of the firewall (as explained in the introductory session), enter privileged mode and execute the show running configuration command (The short version is sh run). Then select the configuration text and press Ctrl-C. Open a text editor (like Wordpad) and paste the configuration text with Crl-V. Save the file and include its contents in the report. IPSec and VPN tunnels 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information