Lab assignment #1 Firewall operation and Access Control Lists



Similar documents
Lab assignment #2 IPSec and VPN Tunnels (Document version 1.1)

Lab Exercise Configure the PIX Firewall and a Cisco Router

School of Information Science (IS 2935 Introduction to Computer Security, 2003)

Lab - Configure a Windows Vista Firewall

Lab Configuring Access Policies and DMZ Settings

CS 326e F2002 Lab 1. Basic Network Setup & Ethereal Time: 2 hrs

Lab Configuring Access Policies and DMZ Settings

Connect the Host to attach to Fast Ethernet switch port Fa0/2. Configure the host as shown in the topology diagram above.

Lab - Configure a Windows 7 Firewall

1 Basic Configuration of Cisco 2600 Router. Basic Configuration Cisco 2600 Router

Configuring the PIX Firewall with PDM

Lab 1: Network Devices and Technologies - Capturing Network Traffic

Skills Assessment Student Training Exam

ILTA HANDS ON Securing Windows 7

In this lab you will explore the Windows XP Firewall and configure some advanced settings.

SSL VPN Service. Once you have installed the AnyConnect Secure Mobility Client, this document is available by clicking on the Help icon on the client.

HOW TO CONFIGURE CISCO FIREWALL PART I

Lab - Configure a Windows XP Firewall

The FlexiSchools Online Order Management (FOOM) Installation Guide

Lab Configure and Test Advanced Protocol Handling on the Cisco PIX Security Appliance

Installation Notes for Outpost Network Security (ONS) version 3.2

LAB THREE STATIC ROUTING

Note: This case study utilizes Packet Tracer. Please see the Chapter 5 Packet Tracer file located in Supplemental Materials.

Network Monitoring User Guide Pulse Appliance

Fundamentals of UNIX Lab Networking Commands (Estimated time: 45 min.)

PT Activity: Configure Cisco Routers for Syslog, NTP, and SSH Operations

1 PC to WX64 direction connection with crossover cable or hub/switch

Stealth OpenVPN and SSH Tunneling Over HTTPS

Lab 3 Routing Information Protocol (RIPv1) on a Cisco Router Network

Updating MNS-BB CUSTOMER SUPPORT INFORMATION PK012906

LAB Configuring NAT. Objective. Background/Preparation

Lab Developing ACLs to Implement Firewall Rule Sets

MFC6490CW Windows Network Connection Repair Instructions

Intel vpro. Technology-based PCs SETUP & CONFIGURATION GUIDE FOR

Windows Server 2008 R2 Initial Configuration Tasks

User Manual. Onsight Management Suite Version 5.1. Another Innovation by Librestream

3.1 Connecting to a Router and Basic Configuration

[HOW TO RECOVER AN INFINITI/EVOLUTION MODEM IDX ] 1

How To Set Up A Backupassist For An Raspberry Netbook With A Data Host On A Nsync Server On A Usb 2 (Qnap) On A Netbook (Qnet) On An Usb 2 On A Cdnap (

Lab Configuring the PIX Firewall as a DHCP Server

Applicazioni Telematiche

School of Information Technology and Engineering (SITE) CEG 4395: Computer Network Management. Lab 4: Remote Monitoring (RMON) Operations

Connecting to the Firewall Services Module and Managing the Configuration

Sharp Remote Device Manager (SRDM) Server Software Setup Guide

Lab Configure Cisco IOS Firewall CBAC

Prestige 202H Plus. Quick Start Guide. ISDN Internet Access Router. Version /2004

NAS 253 Introduction to Backup Plan

Chapter 8 Lab B: Configuring a Remote Access VPN Server and Client

The FlexiSchools Online Order Management System Installation Guide

Configuring Devices for Use with Cisco Configuration Professional (CCP) 2.5

Lab 1: Introduction to the network lab

How to Setup and Connect to an FTP Server Using FileZilla. Part I: Setting up the server

Lab Review of Basic Router Configuration with RIP. Objective. Background / Preparation. General Configuration Tips

Backup and Recovery Procedures

Remote PC Guide for Standalone PC Implementation

Howto: Changing Password for an Ingate Firewall 1450/1500/1550/1600/1650/1900 or Ingate SIParator 45/50/55/60/65/90

Firewall VPN Router. Quick Installation Guide M73-APO09-380

Lab 2 - Basic Router Configuration

a) Network connection problems (check these for existing installations)

1 crossover cable. the PCs. network

Lab Configure IOS Firewall IDS

Basics of Port Forwarding on a Router for Security DVR s

Internet Access to a DVR365

Multi-Homing Dual WAN Firewall Router

Securing Networks with PIX and ASA

Configuring Check Point VPN-1/FireWall-1 and SecuRemote Client with Avaya IP Softphone via NAT - Issue 1.0

The FlexiSchools Online Order Management System Installation Guide

Basic Router and Switch Instructions (Cisco Devices)

USER MANUAL GUIMGR Graphical User Interface Manager for FRM301/FRM401 Media Racks

Lab Configure Cisco IOS Firewall CBAC on a Cisco Router

Configuring an IPSec Tunnel between a Firebox & a Check Point FireWall-1

Changing Password for Ingate Firewalls/SIParators Rickard Nilsson

PIX/ASA: Allow Remote Desktop Protocol Connection through the Security Appliance Configuration Example

This techno knowledge paper can help you if: You need to setup a WAN connection between a Patton Router and a NetGuardian.

Configuring a Cisco 2509-RJ Terminal Router

Network Connect & Junos Pulse Performance Logs on Windows

Lab Creating a Logical Network Diagram

Install and configure SSH server

Device LinkUP + Desktop LP Guide RDP

Volume SYSLOG JUNCTION. User s Guide. User s Guide

Lab - Observing DNS Resolution

Automated Penetration Test

Lab Advanced Telnet Operations

SETTING UP REMOTE ACCESS ON EYEMAX PC BASED DVR.

IsItUp Quick Start Manual

Configuring Security for FTP Traffic

Lab Configure Basic AP Security through IOS CLI

How To Gather Log Files On A Pulse Secure Server On A Pc Or Ipad (For A Free Download) On A Network Or Ipa (For Free) On An Ipa Or Ipv (For An Ubuntu) On Your Pc

Allworx Installation Course

Lab 8.3.3b Configuring a Remote Router Using SSH

Barbara Ann Karmanos Cancer Institute. Instructions for Installing Cisco Systems VPN Client

9 Headless Systems & Remote Management

IIS, FTP Server and Windows

MFC8890DW Vista Network Connection Repair Instructions

Chapter 7 Troubleshooting

User Guide Microsoft Exchange Remote Test Instructions

CIS 4361: Applied Security Lab 4

How to Use vsphere to Connect to and Manage an ESXi Hypervisor Installation

Configuring the Switch with the CLI Setup Program

Transcription:

University of Pittsburgh School of Information Science IS2820/TEL2813 - Security Management Lab GSA: Carlos Caicedo Document version: 1.0 / 2008 I. Lab resources for this assignment Lab assignment #1 Firewall operation and Access Control Lists PIX 501 Firewall (PIX 1) 4 Windows Vista PCs (SECURITY02, 05, 06, 07) 1 WS 2940 Workgroup switches (glswitch1) 1 Hub (HUB 01) Cables and patch cords II. Preliminary questions Answer these questions and turn in your answers at the time and date specified by the instructor or GSA. 1. What is the difference between Network Address Translation (NAT) and Port Address Translation (PAT)? 2. Read the assignment statement and figure out the necessary address translation scheme that you ll need to use as well as the commands required to implement it. Write the details of your address translation scheme and the sequence of commands you will issue. You might figure out that you need to change some of your commands when you actually get to configure the equipment but this will give you a good point to start with. 3. To test your configuration you might want to use the ping command, however this command relies on ICMP protocol based messages. Unless you allow these messages to go through the firewall you cannot use ping to test reachability. a. How does a PIX firewall handle ICMP messages by default? b. How do you allow ICMP messages to go through the firewall? Note: If you enable ping during the testing/debugging phase of your configuration process make sure that you take out any configuration changes that allowed ping (ICMP) traffic to go through the firewall before turning in your results. 1

III. Setup description: The network structure for this lab is shown in figure 1. All computers shown have the IP addresses displayed in the figure and are configured as FTP and Telnet servers. Figure 1 Node Computer Label IP address Comments PC1 SECURITY05 10.10.10.2 Node in the private network PC2 SECURITY06 10.10.10.3 Node in the private network PC3 SECURITY07 192.168.11.23 Node in the public network PC4 SECURITY02 192.168.11.24 This computer will be used as the configuration terminal (with putty) and as a packet sniffer (with WireShark) IV. Lab objective You must restrict the traffic between the Company X s private (inside) network and the public (outside) network according to the following requirements: Part A: Permit FTP access from the public network to PC1 in the private network, no private IP addresses should be exposed in the process. Telnet access from the public network to PC1 is not to be allowed FTP and Telnet from the public network to PC2 is not to be allowed FTP and Telnet access from the private network PCs to the public network PCs is allowed The true IP addresses of the computers on the private network should not be seen in the public network. Use the address pools that are mentioned in section IV 2

Part B: Modify the configuration of Part A to deny FTP and Telnet access from private network PCs to the public network Satisfaction of these requirements can be approved by satisfying the following criteria: Compliance criteria for Part A: 1. Users from the public network should be able to FTP to PC1 but not to PC2. Users FTP to PC1 without directly using one of Company X s private IP addresses. 2. Traffic from the private network that goes into the public network must not reveal the private network s IP addresses. The packet sniffer should be used to validate this. 3. Telnet access from the public network to PCs in the private network should not work 4. Telnet and FTP access from the private network PCs to the public network s PCs works. Compliance criteria for Part B: 1. Satisfy compliance criteria 1, 2 and 3 of part A 2. Telnet and FTP access from the private network PCs to the public network s PCs does not work. V. Technical details Log in for the Windows Vista machines For your work in this lab you will use the username StudentAdmin with password security on all Windows Vista based machines. Address pools Company s X private address pool for its network is 10.10.10.0 with a netmask of 255.255.255.0 Company s X public address pool is 192.168.11.0 192.168.11.7 although only addresses from 192.168.11.1 192.168.11.6 are usable. Connecting to and configuring the PIX1 firewall Configuration of the PIX1 firewall will be done through the console port of the PIX which is attached to a blue cable and a USB to Serial adapter on PC4. Do not remove the blue cable under any circumstance. To activate a configuration terminal on PC4, double click on the icon of the application called putty which should be in the desktop of PC4 s Windows Vista. Once activated double click on the Security Lab session configuration to connect to the PIX. You might have to press the Enter key several times to wake up the connection. You will not be using the PIX Device Manager s graphical user interface to configure the firewall in this assignment. 3

Erasing previous configurations on the PIX firewall Before starting to configure the PIX firewall you should erase any previous configuration already stored on it so that you can start your work from an unconfigured system. To do this enter privileged mode on the PIX firewall and use the following commands: write erase reload These commands erase the current configuration from the flash memory of the PIX and reboot the firewall. To start configuring the PIX answer yes to any prompt that shows up except for the one that says Pre-configure PIX Firewall now through iterative prompts? to which you should answer no. After all this you ll be left at the prompt of the unprivileged mode of the PIX. Since there is no configuration stored on it, the enable (privileged mode) password is blank. When asked for the enable password just press the Enter key. When you have finished this lab assignment, erase the configuration that you have provided to the PIX firewall so the next student team will also start from an unconfigured system. IP address for the Firewall s interfaces To have a good behaving network setup and to avoid having to configure any IP address and routing details on the PC nodes you must assign IP address 10.10.10.1 to the inside interface of the firewall and IP address 192.168.11.1 to the outside interface. Note that this means that you ll be reserving and using one of addresses from your public address pool to identify your connection to the public network (outside interface). Establishing a FTP session To establish a FTP session from machine A to machine B do the following: 1. Open a command screen from machine A: Press and hold the Windows key while also pressing the key for the letter R. The Run command window should open. Write cmd in the Run command window. A black text based command screen window should open up. 2. On the command screen start a FTP session to machine B by executing: ftp <ip_address_of_machine_b> 3. Login as user anonymous, there is no password so you can press the Enter key at the password prompt. 4. When you want to logout of the FTP server type quit 4

Establishing a Telnet Session To establish a Telnet session from machine A to machine B do the following: 1. Open a command screen from machine A: Press and hold the Windows key while also pressing the key for the letter R. The Run command window should open. Write cmd in the Run command window. A black text based command screen window should open up. 2. On the command screen start an FTP session of machine B by executing: telnet <ip_address_of_machine_b> 3. You don t need to write your account and password information. These have been pre-configured for you. In this session you will be logging in to Machine B you re your StudentAdmin account. The system will give you a message asking you if you want to send your password information, type y (for yes) to proceed. 4. Although the screen might not change substantially, you can verify that you are connected to Machine B because its IP address will be displayed in the upper right hand corner of the Telnet window. 5. When you want to exit the telnet session type exit. VI. Lab report The lab report for this assignment should include. 1. Answers to the questions posted in the Preliminary Questions section of this assignment if they have not been requested before by the instructor or GSA. 2. Evidence that you satisfy two of the compliance criteria for Part A and Part B by posting the screenshots or text of any kind of test that you conducted to verify such compliance. You can use the Windows Vista snipping tool located in the Accessories folder to capture screenshots. Just make sure to delete the files before you leave the lab. 3. Final configuration of the PIX firewall that satisfies all the compliance criteria. Include the configuration file that satisfies the requirements of Part A and the configuration file that satisfies the requirements of Part B (or a list of changes that you had to do to Part A s configuration). Tip: To capture the configuration of the firewall, open a Terminal connection through the console port of the firewall (as explained in the introductory session), enter privileged mode and execute the show running configuration command (The short version is sh run). Then select the configuration text and press Ctrl-C. Open a text editor (like Wordpad) and paste the configuration text with Crl-V. Save the file and include its contents in the report. 5

VII. Firewall Lab references These are some references you can use to prepare for this lab. They are available online via PittCat. Title: Cisco security specialist's guide to PIX Firewall [electronic resource] / Vitaly Osipov. Author: Osipov, Vitaly. Published: Rockland, Mass. : Syngress Pub., c2002. Read: Chapters 2 and 3 (4 is optional), (9 if you plan to use graphical GUI) Title: CCSP Cisco Secure PIX firewall advanced exam certification guide [electronic resource] : CCSP self-study / [Greg Bastien and Christian Degu]. Author: Bastien, Greg. Published: Indianapolis, IN : Cisco Press, c2003. Read: Chapters 5 and 6 Title: Managing Cisco network security [electronic resource] / Eric Knipp... [et al.] ; technical editor, Edgar Danielyan. Edition: 2nd ed. Published: Rockland, Mass. : Syngress Media, c2002. Read: Chapters 3 5 6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information