Assessment Prep

Assessment Description: For the assessment, you will be given a 3 zone network to configure that consists of:

Network Diagram:

traveler: A WAN based road warrior user running Windows 10. (this replaces the linux rw01)

edge01: A vyOS Firewall with three interfaces (WAN, DMZ, LAN). You will need to add an interface using vCenter. (this replaces fw01)

nginx01: A DMZ based nginx web server running Ubuntu (this replaces web01 and apache)

dhcp01: A LAN based dhcp server running Ubuntu

Configs

Traveler

CONFIG

IP: 10.0.17.27
GATEWAY: 10.0.17.2
SUBNET: 255.255.255.0
DNS: 10.0.17.2

$Password = Read-Host -AsSecureString
New-LocalUser "david" -Password $Password -FullName "david" 
Add-LocalGroupMember -Group "Administrators" -Member "david"

Rename-Computer -NewName "traveler-david" -Restart

Keygen/sending to JUMP

ADMIN INSTALL OPENSSH

# Install OpenSSH , does not install if "ssh" folder exists
if (!(Test-Path "C:\ProgramData\ssh\ssh_host_rsa_key")) {
    Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0
}


Start-Service sshd
Set-Service -Name sshd -StartupType Automatic

USER RUN

# Generate Keys
ssh-keygen.exe -f .\ssh-keys

SFTP

#!/bin/bash
WINDOWSUSER="paul"
WINDOWSIP="10.0.17.27"
JUMPUSER="paul-jump"
JUMPIP="172.16.50.4"

sftp david@$10.0.17.27:ssh-keys.pub
scp ssh-keys.pub david@$172.16.50.4:travel.pub

ssh david@$172.16.50.4 
sudo -i
cat /home/david/travel.pub >> /home/jump-david/.ssh/authorized_keys
END

Edge01-David

VMWare Config: adap1: WAN adap2: DMZ adap3: LAN

set system host-name 'edge01-david'
set system name-server '10.0.17.2'

set system login user vyos authentication plaintext-password [PASS HERE]

WAIT FOR THE END!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
del service ssh listen-address '0.0.0.0'
set service ssh listen-address '172.16.150.2'

FIREWALL

NAME: DMZ-2-LAN

default-action drop
enable-default-log

rule 1:
action accept
state establised enable

rule 10: 
action accept
desc: "wazuh comms w wazuhServ"
destination address 172.16.200.10
destination port 1514-1515
protocol tcp

NAME: DMZ-2-WAN

default-action drop
enable-default-log

rule 1:
action accept
state establised enable

rule 999: 
action accept
source address 172.16.50.3

NAME: LAN-2-DMZ

default-action drop
enable-default-log

rule 1:
action accept
state establised enable

rule 10: 
action accept
desc: "HTTP from LAN 2 NGINX"
destination address 172.16.50.3
destination port 80
protocol tcp

rule 20: 
action accept
desc: "ssh from mgmt01 2 DMZ"
destination address 172.16.50.0/29
destination port 22
protocol tcp
source address 172.16.150.10

NAME: LAN-2-WAN

default-action drop
enable-default-log

rule 1:
action accept
state establised enable

NAME: WAN-2-DMZ

default-action drop
enable-default-log

rule 1:
action accept
state establised enable

rule 10: 
action accept
desc: "HTTP from WAN 2 DMZ"
destination address 172.16.50.3
destination port 80
protocol tcp

rule 20: 
action accept
desc: "SSH from WAN 2 DMZ"
destination address 172.16.50.4
destination port 22
protocol tcp

NAME: WAN-2-LAN

default-action drop
enable-default-log

rule 1:
action accept
state establised enable

Interfaces

ethernet eth0

address 10.0.17.115/24
desc: WAN

ethernet eth1

address 172.16.50.2/29
desc: DMZ

ethernet eth2

address 172.16.150.2/24
desc: LAN

NAT

DESTINATION

rule 10:
desc: HTTP-2-NGINX
destination port 80 
inbound interface eth0
protocol tcp 
translation address 172.16.50.3
translation port 80

rule 20:
desc: WAN-2-JUMP
destination port 22 
inbound interface eth0
protocol tcp 
translation address 172.16.50.4
translation port 22

SOURCE

rule 10:
desc: NAT from DMZ-2-WAN
outbound interface eth0
source address 172.16.50.3
translation address masquerade

rule 20:
desc: NAT from LAN-2-WAN
outbound interface eth0
source address 172.16.150.0/24
translation address masquerade

rule 30:
desc: NAT from MGMT-2-WAN
outbound interface eth0
source address 172.16.200.0/28
translation address masquerade

Protocols

rip:
interface eth2
network 172.16.50.0/29

static:
route 0.0.0.0/0
next hop 10.0.17.2

SERVICE

dns:
forwarding allow-from 172.16.50.0/29
forwarding allow-from 172.16.150.0/24
forwarding listen-address 172.16.50.2
forwarding listen-address 172.16.150.2
forwarding system

ssh: 
listen address 172.16.150.2

ZONE POLICY

zone WAN:
from DMZ firewall name DMZ-2-WAN
from LAN firewall name LAN-2-WAN
interface eth0

zone DMZ:
from LAN firewall name LAN-2-DMZ
from WAN firewall name WAN-2-DMZ
interface eth1

zone LAN
from DMZ firewall name DMZ-2-LAN
from WAN firewall name WAN-2-LAN
interface eth2

Requirements

All systems should have an accurate hostname.

Windows:

Linux:

edit /etc/hostname

Vyos:

set system login user [user] authentication plaintext-password [password]

All Linux systems should have a named sudo or administrator user.

useradd [user]
passwd [user]
usermod -aG sudo/wheel [user]

The two new ubuntu systems do not have a firewall enabled, this is ok (for now)

wks1, mgmt01 should be able to surf the internet.

wks1, mgmt1 should be able to navigate to nginx01

mgmt01 should be able to ssh to nginx01

nginx01 should be able to ping log01

nginx01 and dhcp01 should have wazuh agents installed

nginx01 should have a custom web page (practice this on jump)

traveler should be able to get to nginx01's custom test page by navigating to edge01's WAN IP address.

traveler should be able to perform ssh key- based authentication with jump. Traveler is a Windows box, but ssh on powershell is nearly exactly the same as linux to include key generation. You will need to add a new public key to authorized_keys.

dhcp01 should serve a pool of dhcp addresses to the LAN from .100 to .150.

WKS1 should use dhcp addressing

Hints

You do not need to work serially through this assessment, it is the end result that matters. If you are waiting for a reboot on traveler, then start configuring your other servers.

Get all communications working BEFORE creating zones and locking down the firewalls. It's terribly difficult to debug both services and network firewalls at the same time.

Make sure to link your firewalls to the appropriate From and To zones.

Make sure you have the correct netmask on all Linux systems.

--permanent flag on centos firewall configurations, reload after change.

Restart any service if you touch a configuration file (network, nginx, rsyslog, etc…).

Make sure you include the appropriate vsphere label on all deliverables where your name is not obvious in the console.

Check every VM's network settings to make sure they are on the correct segment.

Don't forget to look at /var/log/messages to debug firewall issues.

Do not try to use the default gateway address 10.0.17.2 as your WAN interface IP address as this will cause problems for other students and might be embarrassing.

Assessment Prep

Assessment Description: For the assessment, you will be given a 3 zone network to configure that consists of:

Network Diagram:

traveler: A WAN based road warrior user running Windows 10. (this replaces the linux rw01)

edge01: A vyOS Firewall with three interfaces (WAN, DMZ, LAN). You will need to add an interface using vCenter. (this replaces fw01)

nginx01: A DMZ based nginx web server running Ubuntu (this replaces web01 and apache)

dhcp01: A LAN based dhcp server running Ubuntu

Configs

Traveler

CONFIG

Keygen/sending to JUMP

ADMIN INSTALL OPENSSH

USER RUN

SFTP

Edge01-David

FIREWALL

NAME: DMZ-2-LAN

NAME: DMZ-2-WAN

NAME: LAN-2-DMZ

NAME: LAN-2-WAN

NAME: WAN-2-DMZ

NAME: WAN-2-LAN

Interfaces

ethernet eth0

ethernet eth1

ethernet eth2

NAT

DESTINATION

SOURCE

Protocols

SERVICE

ZONE POLICY

Requirements

All systems should have an accurate hostname.

All Linux systems should have a named sudo or administrator user.

The two new ubuntu systems do not have a firewall enabled, this is ok (for now)

wks1, mgmt01 should be able to surf the internet.

wks1, mgmt1 should be able to navigate to nginx01

mgmt01 should be able to ssh to nginx01

nginx01 should be able to ping log01

nginx01 and dhcp01 should have wazuh agents installed

nginx01 should have a custom web page (practice this on jump)

traveler should be able to get to nginx01's custom test page by navigating to edge01's WAN IP address.

traveler should be able to perform ssh key- based authentication with jump. Traveler is a Windows box, but ssh on powershell is nearly exactly the same as linux to include key generation. You will need to add a new public key to authorized_keys.

dhcp01 should serve a pool of dhcp addresses to the LAN from .100 to .150.

WKS1 should use dhcp addressing

Hints

You do not need to work serially through this assessment, it is the end result that matters. If you are waiting for a reboot on traveler, then start configuring your other servers.

Get all communications working BEFORE creating zones and locking down the firewalls. It's terribly difficult to debug both services and network firewalls at the same time.

Make sure to link your firewalls to the appropriate From and To zones.

Make sure you have the correct netmask on all Linux systems.

--permanent flag on centos firewall configurations, reload after change.

Restart any service if you touch a configuration file (network, nginx, rsyslog, etc…).

Make sure you include the appropriate vsphere label on all deliverables where your name is not obvious in the console.

Check every VM's network settings to make sure they are on the correct segment.

Don't forget to look at /var/log/messages to debug firewall issues.

Do not try to use the default gateway address 10.0.17.2 as your WAN interface IP address as this will cause problems for other students and might be embarrassing.

Clone this wiki locally