Lab 3.1 Segmentation

Network Diagram

In this lab, we are going to segment our network by adding a new firewall and a new network (MGMT). We will retire our log01 server and replace it with a new server on the MGMT network.

Step 1: Configure WKS01

This system will be a Windows 10 VM that represents a typical client in our internal LAN (SEC-350-LAN). You should have set the LAN interface on FW1 last week.

Make a named user on windows:

1. Open Settings

2. Select Accounts

3. Select Family & other users

4. Under Other users, click Add someone else to this PC

Add user to local admin group on windows:

Change Windows hostname:

1. Open Settings

2. Select System

3. Select About

4. Select Rename this PC

5. Enter a new name

6. Select Next

7. Choose to restart your computer now or later

Configure Interface

IP Address: 172.16.150.50

Netmask: 255.255.255.0

Gateway: 172.16.150.2

DNS: 172.16.150.2

Go to Settings > Network & Internet > Ethernet (or Wi-Fi) > Change adapter options > right-click your network adapter > Properties > Internet Protocol Version 4 (TCP/IPv4) > Properties, then select "Use the following IP address"

Step 2: Update fw01 - LAN Configuration

In week 1 you created a NAT source rule 10 for the DMZ. In week 2, you created a new NAT source rule 20 for the LAN.

Create a source rule 30 for NAT FROM MGMT to WAN (you will delete this later)

configure

set nat source rule 30 description "NAT FROM MGMT TO WAN" 

set nat source rule 30 outbound-interface eth0

set nat source rule 30 source address 172.16.150.0/24

set nat source rule 30 translation address masquerade 

commit 
save

Deliverable 1: Validate LAN access (you will test MGMT later) Provide a screenshot similar (change the IP address) to the one below. From WKS01:

• show results of the whoami command

• hostname command

• ping champlain.edu

Deliverable 2: You should also be able to get to your DMZ based web server from WKS01. Provide a screenshot from WKS01 similar to the one below:

Step 3: Configure fw-mgmt

The Management Firewall is going to separate the main LAN production network from the systems used by administrators to manage this network (MGMT).

Set hostname

configure 
set system host-name fw-mgmt-hanne
commit 
save 
exit

Set new system password

configure
set system login user [username] authentication plaintext-password [password]
commit
save

Delete DHCP Interfaces

configure
delete interfaces ethernet eth0 address dhcp 
delete interfaces ethernet eth1 address dhcp
commit 
save

• show interfaces to check system interfaces

Set Interfaces with commands below

configure 
set interfaces ethernet eth0 description SEC-350-LAN
set interfaces ethernet eth1 description SEC-350-MGMT
commit
save 
exit

Set the corresponding IP addresses for each interface

configure 
set interfaces ethernet eth0 address 172.16.150.3/24 
set interfaces ethernet eth1 address 172.16.200.2/28
commit
save 
exit

Set static route

configure
set protocols static route 0.0.0.0/0 next-hop 172.16.150.2
set system name-server 172.16.150.2
commit 
save 
exit

Set DNS forwarding

configure 
set service dns forwarding listen-address 172.16.200.2
set service dns forwarding allow-from 172.16.200.0/28
set service dns forwarding system 
commit 
save

Step 4: Configure mgmt02

Place on correct adapter

Make a named user

• Open Settings

• Select Accounts

• Select Family & other users

• Under Other users, click Add someone else to this PC

Default Password Requirements:

1. Not contain the user’s account name or parts of the user’s full name that exceed two consecutive characters

2. Be at least six characters in length

3. Contain characters from three of the following four categories:

   • English uppercase characters (A through Z)

   • English lowercase characters (a through z)

   • Base 10 digits (0 through 9)

   • Non-alphabetic characters (for example, !, $, #, %)

Make user a local admin

Change Hostname

• Open Settings

• Select System

• Select About

• Select Rename this PC

• Enter a new name

• Select Next

• Choose to restart your computer now or later

Configure Interface

IP Address: 172.16.200.11

Netmask: 255.255.255.240 (yes this is a /28)

Gateway: 172.16.200.2

DNS: 172.16.200.2

Step 5: RIP on FW1 and FW-MGMT

Rather than double NAT from MGMT to LAN and LAN to WAN we will implement RIP which will greatly simplify the routing from MGMT to LAN. It will also increase our visibility for sensors outside of the MGMT network.

On fw01 Enable RIP on eth2 (LAN) and advise the DMZ network

//share routes to DMZ

configure 
set protocols rip interface eth2 
set protocols rip network 172.16.50.0/29
commit 
save

On fw-mgmt Enable RIP on eth0 (LAN) and advise the MGMT network

//share routes to the management network

configure 
set protocols rip interface eth0 
set protocols rip network '172.16.200.0/28'
commit 
save

On fw01, you should have already allowed NAT traffic from the MGMT network (rule 30).

Create a source rule 30 for NAT FROM MGMT to WAN

configure

set nat source rule 30 description "NAT FROM MGMT TO WAN" 

set nat source rule 30 outbound-interface eth0

set nat source rule 30 source address 172.16.200.0/24

set nat source rule 30 translation address masquerade 

commit 
save

DELETE the rule from FW01 - delete source rule 30

Troubleshooting: Wrong DNS configuration

On Fw-mgmt I had the wrong configuration. To solve this I did the following:

• show service dns

• delete service dns forwarding

• Changed the allow-from address to 172.16.200.0/28

• Changed the listen-address to 172.16.200.2

Deliverable 3. On mgmt02, provide a screenshot similar to the following one

Step 6: Shutdown log01

Say goodbye to your syslog server, if you are done with all previous labs, feel free to turn it off. We are going to configure a new box called wazuh that will capture security relevant logs from configured systems.

Step 7: Configure server wazuh

Wazuh is a new ubuntu server. Configure it on the SEC350-MGMT network with the following address information. It may take some time to boot because it's looking for a non-existent dhcp server.

Add user

sudo adduser hanne 
//enter password 
sudo usermod -aG sudo hanne

Use netplan to configure interface

• /etc/netplan/00-installer-config.yaml is the config file

network:
  version: 2
  renderer: networkd
  ethernets:
    ens160: (make sure you change this)
      addresses:
        - 172.16.200.10/28 (this should be your IP address)
      nameservers:
          addresses: [172.16.200.2]
      routes:
        - to: default
          via: 172.16.200.2(this is your default gateway)

Set hostname

• hostnamectl set-hostname

Deliverable 4. On Wazuh, provide a screenshot similar to the one below that shows your correct hostname, named administrative (sudo) user logged in and able to ping google.com and curl your web server.

Step 8: Update client logging configurations

fw01 and web01 have stale syslog configurations because we have decommissioned log01. Remove those log forwarding messages from the vyos syslog configuration and the web01 client configuration. In the near future, our wazuh agents will forward specific messages (instead of all of them)

On web01, remove your rsyslog dropin configuration

On fw1, remove syslog host 172.16.50.5 setting from configuration

configure 
delete system syslog 
commit 
save

Deliverable 5. On mgmt1, provide a screenshot similar to the one below showing:

• ssh from mgmt1 on LAN to wazuh on MGMT

• another ping to google

• traceroute to champlain.edu with 4 hops

Deliverable 6. A screenshot similar to the one below that shows a ping from web01 to wazuh.

Deliverable 7. export the firewall configurations at the end of week 3 for fw-mgmt and fw1. The following command line will provide the most usable format. Provide screenshots or links to your firewall configurations in github.

Install Git on Vyos

sudo nano /etc/apt/sources.list.d/git.list
 
\\input this text into the file 
deb https://deb.debian.org/debian bullseye main contrib non-free

sudo update && sudo apt install -y git

Configure Github

• ssh-keygen

• sudo cat /home/vyos/.ssh/id_rsa.pub

• copy paste the key into github