CCNA Labskill Chapter 8
Posted October 31, 2010on:
Lab 8.4.2 Configuring Access Policies and DMZ Settings
- Log in to a multi-function device and view security settings.
- Set up Internet access policies based on IP address and application.
- Set up a DMZ for an open access server with a static IP address.
- Set up port forwarding to limit port accessibility to only HTTP.
- Use the Linksys WRT300N Help features.
Background / Preparation
This lab provides instructions for configuring security settings for the Linksys WRT300N. The Linksys provides a software-based firewall to protect internal, local-network clients from attack by external hosts. Connections from internal hosts to external destinations can be filtered based on the IP address, destination website, and application. The Linksys can also be configured to create a demilitarized zone (DMZ) to control access to a server from external hosts. This lab is done in teams of two, and two teams can work together to test each other’s access restrictions and DMZ functionality. It is divided into 2 parts:
- Part 1 – Configuring access policies
- Part 2 – Configuring DMZ settings
The following resources are required:
- Linksys WRT300N or other multi-function device with the default configuration
- User ID and password for the Linksys device if different than the default
- Computer running Windows XP Professional to access the Linksys GUI
- Internal PC to act as a server in the DMZ with HTTP and Telnet servers installed (preconfigured or Discovery Live CD server)
- External server to represent the ISP and Internet (with preconfigured DHCP, HTTP, and Telnet servers running (real server with services installed or Discovery Live CD server)
- Cabling to connect the PC hosts, Linksys WRT300N or multi-function device, and switches
Part 1 – Configuring access policies
Step 1: Build the network and configure the hosts
- Connect the host computers to switch ports on the multi-function device as shown in the topology diagram. Host-A is the console and is used to access the Linksys GUI. Host-B is initially a test machine but later becomes the DMZ server.
- Configure the IP settings for both hosts using Windows XP Network Connections and TCP/IP properties. Verify that Host-A is configured as a DHCP client. Assign a static IP address to Host-B in the 192.168.1.x range with a subnet mask of 255.255.255.0. The default gateway should be the internal local network address of the Linksys device.
NOTE: If Host-B is already a DHCP client, you can reserve its current address and make it static using the DHCP Reservation feature on the Linksys Basic Setup screen.
- Use the ipconfig command to display the IP address, subnet mask, and default gateway for Host-A and Host-B and record them in the table. Obtain the IP address and subnet mask of the external server from the instructor and record it in the table
|Host||IP Address||Subnet Mask||Default Gateway|
Step 2: Log in to the user interface
- To access the Linksys or multi-function device web-based GUI, open a browser and enter the default internal IP address for the device, normally 192.168.1.1.
- Log in using the default user ID and password, or check with the instructor if they are different.
- The multi-function device should be configured to obtain an IP address from the external DHCP server. The default screen after logging in to the multi-function device is Setup > Basic Setup. What is the Internet connection type?
Tipe internet connectionnya adalah wireless internet connection.
- What is the default router (internal) IP address and subnet mask for the multi-function device?
Default router : 192.168.1.1
Subnet mask : 255.255.255.0
- Verify that the multi-function device has received an external IP address from the DHCP server by clicking the Status > Router tab.
- What is the external IP address and subnet mask assigned to the multi-function device?
IP address External : 192.168.3.1
Subnet mask : 255.255.255.0
Step 3: View multi-function device firewall settings
- The Linksys WRT300N provides a basic firewall that uses Network Address Translation (NAT). In addition, it provides additional firewall functionality using Stateful Packet Inspection (SPI) to detect and block unsolicited traffic from the Internet.
- From the main screen, click the Security tab to view the Firewall and Internet Filter status. What is the status of SPI Firewall protection?
Statusnya adalah enabled.
- Which Internet Filter checkboxes are selected?
Internet filter yang dipilih adalah filter anonymous internet request
- Click Help to learn more about these settings. What benefits does filtering IDENT provide?
Keuntungannya adalah mencegah serangan (attack) terhadap router melalui internet.
Step 4: Set up Internet access restrictions based on IP address
In Lab 7.3.5, you saw that wireless security features can be used to control which wireless client computers can access the multi-function device, based on their MAC address. This prevents unauthorized external computers from connecting to the wireless access point (AP) and gaining access to the internal local network and the Internet.
The multi-function device can also control which internal users can get out to the Internet from the local network. You can create an Internet access policy to deny or allow specific internal computers access to the Internet based on the IP address, MAC address, and other criteria.
- From the main multi-function device screen, click the Access Restrictions tab to define Access Policy 1.
- Enter Block-IP as the policy name. Select Enabled to enable the policy, and then select Deny to prevent Internet access from a specified IP address.
- Click the Edit List button and enter the IP address of Host-B. Click Save Settings and then Close. Click Save Settings to save Internet Access Policy 1 – Block IP.
- Test the policy by attempting to access the external web server from Host-B. Open a browser and enter the IP address of the external server in the address area. Are you able to access the server?
Ya, akses servernay diaktifkan.
- Change the status of the Block-IP Policy to Disabled and click Save Settings. Are you able to access the server now?
Tidak bisa karena dalam keadaan disable.
- What other ways can access policies be used to block Internet access?
Cara lainnya adalah dengan menggunakan proxy.
Step 5: Set up an Internet access policy based on an application
You can create an Internet access policy to block specific computers from using certain Internet applications or protocols on the Internet.
- From the main Linksys GUI screen, click the Access Restrictions tab to define an Internet Access Policy.
- Enter Block-Telnet as the policy name. Select Enabled to enable the policy, and then click Allow to permit Internet access from a specified IP address as long as it is not one of the applications that is blocked.
- Click the Edit List button and enter the IP address of Host-B. Click Save Settings and then Close. What other Internet applications and protocols can be blocked?
- Select the Telnet application from the list of applications that can be blocked and then click the double right arrow to add it to the Blocked List. Click Save Settings.
- Test the policy by opening a command prompt using Start > All Programs > Accessories > Command Prompt.
- Ping the IP address of the external server from Host-B using the ping command. Are you able to ping the server?
Ya, saya akses ping ke server.
- Telnet to the IP address of the external server from Host-B using the command telnet A.B.C.D (where A.B.C.D is the IP address of the server).
- Are you able to telnet to the server?
NOTE: If you are not going to perform lab Part 2 at this time and others will be using the equipment after you, skip to Step 3 of Part 2 and restore the multi-function device to its default settings.
Part 2 – Configuring a DMZ on the multi-function device
Step 1: Set up a simple DMZ
It is sometimes necessary to allow access to a computer from the Internet while still protecting other internal local network computers. To accomplish this, you can set up a demilitarized zone (DMZ) that allows open access to any ports and services running on the specified server. Any requests made for services to the outside address of the multi-function device will be redirected to the server specified.
- Host-B will act as the DMZ server and should be running HTTP and Telnet servers. Verify the Host-B has a static IP address or, if Host-B is a DHCP client, you can reserve its current address and make it static using the DHCP Reservation feature on the Linksys device Basic Setup screen.
- From the main Linksys GUI screen, click the Applications & Gaming tab then click DMZ.
- Click Help to learn more about the DMZ. For what other reasons might you want to set up a host in the DMZ?
Karena DMZ berguna untuk menambahkan lapisan keamanan untuk LAN.
- The DMZ feature is disabled by default. Select Enabled to enable the DMZ. Leave the Source IP Address selected as Any IP Address, and enter the IP address of Host-B in the Destination IP address. Click Save Settings and click Continue when prompted.
- Test basic access to the DMZ server by pinging from the external server to the outside address of the multi-function device. Use the ping –a command to verify that it is actually the DMZ server responding and not the multi-function device. Are you able to ping the DMZ server?
Ya, saya aktif ping DMZ Server.
- Test HTTP access to the DMZ server by opening a browser on the external server and pointing to the external IP address of the multi-function device. Try the same thing from a browser on Host-A to Host-B using the internal addresses. Are you able to access the web page?
Ya, able access web page.
- Test Telnet access by opening a command prompt as described in Step 5. Telnet to the outside IP address of the multi-function device using the command telnet A.B.C.D (where A.B.C.D is the outside address of the multi-function device).
Are you able to telnet to the server?
Tidak, tidak akses ke telnet server.
Step 2: Set up a host with single port forwarding
The basic DMZ hosting set up in Step 6 allows open access to all ports and services running on the server, such as HTTP, FTP, and Telnet,. If a host is to be used for a particular function, such as FTP or web services, access should be limited to the type of services provided. Single port forwarding can accomplish this and is more secure than the basic DMZ, because it only opens the ports needed. Before completing this step, disable the DMZ settings for step 1.
Host-B is the server to which ports are forwarded, but access is limited to only HTTP (web) protocol.
- From the main screen, click the Applications & Gaming tab, and then click Single Port Forwarding to specify applications and port numbers.
- Click the pull-down menu for the first entry under Application Name and select HTTP. This is the web server protocol port 80.
- In the first To IP Address field, enter the IP address of Host-B and select Enabled. Click Save Settings.
- Test HTTP access to the DMZ host by opening a browser the external server and pointing to the outside address of the multi-function device. Try the same thing from a browser on Host-A to Host-B. Are you able to access the web page?
Ya, pengaksesan ke web page.
- Test Telnet access by opening a command prompt as described in Step 5. Attempt to telnet to the outside IP address of the multi-function device using the command telnet A.B.C.D (where A.B.C.D is the outside IP address of the multi-function device).
Are you able to telnet to the server?
Tidak ada pengaksesan ke telnet server.
Step 3: Restore the multi-function device to its default settings
- To restore the Linksys to its factory default settings, click the Administration > Factory Defaults tab.
- Click the Restore Factory Defaults button. Any entries or changes to settings will be lost.
NOTE: The current settings can be saved and restored at a later time using the Administration > Management tab and the Backup Configuration and Restore Configuration buttons.
Lab 8.4.3 Performing a Vulnerability Analysis
CAUTION: This lab may violate legal and organizational security policies. The security analyzer downloaded in this lab should only be used for instructional purposes in a lab environment. Before using a security analyzer on a live network, check with your instructor and network administration staff regarding internal policies concerning the use of these tools.
- Download and install security analyzer software.
- Test a host to determine potential security vulnerabilities.
Background / Preparation
Security analyzers are valuable tools used by network administrators and auditors to identify network and host vulnerabilities. There are many vulnerability analysis tools, also known as security scanners, available to test host and network security. In this lab, you will download and install the Microsoft Baseline Security Analyzer (MBSA). MBSA is designed to identify potential security issues related specifically to Microsoft operating systems, updates, and applications. It also identifies unnecessary services that may be running, as well as any open ports.
MBSA runs on Windows Server and Windows XP systems and scans for common security misconfigurations and missing security updates for the operating system as well as most versions of Internet Information Server (IIS), SQL Server, Internet Explorer (IE), and Office products. MBSA offers specific recommendations to correct potential problems.
This lab can be done individually or in teams of two.
The following resources are required:
- Computer running Windows XP Professional to act as the test station.
- High-speed Internet connection for downloading MBSA (unless pre-installed).
- Computer must be attached to the integrated router switch or a standalone hub or switch.
- Optionally, you can have a server running a combination of DHCP, HTTP, FTP, and Telnet (preconfigured).
Step 1: Download and install MBSA
- Open a browser and go to the MBSA web page at: http://www.microsoft.com/technet/security/tools/mbsa2/default.mspx
- What is the latest version of MBSA available?
MBSA versi 2.2
- What are some of the features MBSA provides?
-Command-line and Graphical User Interface (GUI) options
– Scan local computer, remote computer, or groups of computer
– Scan against Microsoft’s maintained list of updates (on Microsoft.com) or local server running Software Update Services 1.0
– Scan for common security configuration vulnerabilitie
– Scan for missing security updates
– View reports in MBSA Graphical User Interface or Command Line Interface
– Compatibility with SMS 2.0 and 2003 Software Update Services Feature Pack
– Support for single processor and multiprocessor configurations
– Localized to English, French, German, and Japanese although MBSA 1.2.1 can scan a machine of any local
- Scroll down the page and select the desired language to begin the download process.
- Click Continue to validate the copy of Microsoft Windows you are running.
- Click Download Files below and select the file you want to download. (The English setup file is MBSASetup-EN.msi). Click the Download button on the right of this file. How many megabytes is the file to download?
1.7 MB besarnya file yang akan di download.
- When the File Download – Security Warning dialog box displays, click Save and download the file to a specified folder or the desktop. You can also run it from the download website.
- Once the download is complete, make sure all other applications are closed. Double-click the downloaded file. Click Run to start the Setup program, and then click Run if you are prompted with a Security Warning. Click Next on the MBSA Setup screen.
- Select the radio button to accept the license agreement and click Next. Accept the defaults as the install progresses, and then click Finish. Click OK on the final MBSA Setup screen, and close the folder to return to the Windows desktop.
Step 2: Build the network and configure the hosts
- Connect the host computer(s) to the integrated router, a hub, or a switch as shown in the topology diagram. Host-A is the test station where MBSA will be installed. The server is optional.
- Set the IP configuration for the host(s) using Windows XP Network Connections and TCP/IP properties. If the host is connected to the integrated router, configure it as a DHCP client; otherwise go to Step 1d.
- If the host is connected to a hub or switch and a DHCP server is not available, configure it manually by assigning a static IP address.
Which IP address and subnet mask does Host-A and the server (optional) have?
IP Address : 192.168.1.1
Subnet mask : 255.255.255.0
Step 3: Run MBSA on a host
- Double-click the desktop icon for MBSA or run it from Start > All Programs. When the main screen displays, which options are available?
– Pick a computer to scan
– Pick multiple computer to scan
– Pick a security report to view
– Microsoft Security Web Site
Step 4: Select a computer to scan
- On the left side of the screen, click Pick a computer to scan. The computer shown as the default is the one on which MBSA is installed.
- What are the two ways to specify a computer to be scanned?
Caranya adalah :
– Scan using assign Update Services servers only
– Scan using Microsoft Update only
- Accept the default computer to be scanned. De-select Check for IIS and SQL administrative vulnerabilities, since these services are not likely to be installed on the computer being scanned. Click Start Scan.
Step 5: View security update scan results
- View the security report. What are the results of the security update scan
Tidak ada file hasil scannya.
- If there are any red or yellow Xs, click How to correct this. Which solution is recommended?
Tidak ada terdapat red atau yellow X5.
Step 6: View Windows scan results in the security report
- Scroll down to view the second section of the report that shows Windows Scan Results. Were there any administrative vulnerabilities identified?
Local Account Password Test, Automatic Update, Guest Account, File system.
- On the Additional System Information section of the screen (below), in the Issue column for Services, click What was scanned, and click Result details under the Result column to get a description of the check that was run. What did you find? When finished, close both popup windows to return to the security report.
Step 7: View Desktop Application Scan Results in the Security report
- Scroll down to view the last section of the report that shows Desktop Applications Scan Results. Were there any administrative vulnerabilities identified?
- How many Microsoft Office products are installed?
Produk Microsoft office yang diinstall adalah 4 buah produk.
- Were there any security issues with Macro Security for any of them?
Tidak ada security untuk yang lainnya.
Step 8: Scan a server, if available
- If a server with various services is available, click Pick a computer to scan from the main MBSA screen and enter the IP address of the server, and then click Start Scan. Which security vulnerabilities were identified?
- Were there any potentially unnecessary services installed? Which port numbers were they on?
Step 9: Uninstall MBSA using Control Panel Add/Remove Programs
- This step is optional, depending on whether the host will be automatically restored later by a network process.
- To uninstall MBSA, click Start > Control Panel > Add/Remove Programs. Locate the MBSA application and uninstall it. It should be listed as Microsoft Baseline Security Analyzer 2.0.1. Click Remove, and then click Yes to confirm removal of the MBSA application. When finished, close all windows to return to the desktop.
Step 10: Reflection
- The MBSA tool is designed to identify vulnerabilities for Windows-based computers. Search the Internet for other tools that might exist. List some of the tools discovered.
– Client versions of Windows, including Windows
– Windows Server, including Windows Server 2008
– SQL Server
– Internet Information Server (IIS)
– Internet Explorer
– Microsoft Office
- Which tools might there be for non-Windows computers? Search the Internet for other tools that might exist and list some of them here.
Toolnya adalah SQL Server
- Which other steps could you take to help secure a computer against Internet attacks?
Step tentang Internet attacks terdapat pada step 8