search

Lab 4.1 Network Firewalls 1

hashtag
Intro

  • In this lab, we are going to shut down and then manage traffic between the LAN, DMZ, WAN, and MGMT networks.

  • The initial configuration of fw01 will be illustrated in detail, but you will need to use that information to configure fw-mgmt.

hashtag
Prerequisites

Make sure you are able to do the following before you proceed with the rest of the lab:

  • rw01 can ping web01 via its static route, rw01 can browse to web01

  • wks01 can browse web01

  • wks01 can browse wazuh

  • web01 can ping wazuh

triangle-exclamation

I was initally fooled into thinking that rw01 could browse to web01, but it was just cached in the web browser. I went back in an looked at nmtui and that was configure find from Lab 1.1. I then tried to do traceroute 172.16.50.3 and it didn't work, so I knew that the static route must not have been wokring. I then added it again with sudo ip route add 172.16.50.0/29 via 10.0.17.2/143 and then did systemctl restart NetworkManager and the traceroute command worked and I was actually able to browse to my html file again!

hashtag
Task 1: Configuring fw01

Create and link firewall zones to interfaces (eth0, eth1, eth2)

 configure 
 set zone-policy zone WAN interface eth0
 set zone-policy zone DMZ interface eth1
 set zone-policy zone LAN interface eth2
 commit 
 save

hashtag
Creating Firewalls for WAN-to-DMZ and DMZ-to-WAN

We are now going to create the firewalls for each of the zones. We will be disallowing traffic that isn't pre-defined.

hashtag
Firewalls for WAN and DMZ

hashtag
Assigning Firewalls to Zones

hashtag
Testing

  • Attempt to connect to web01 via RW01; it should fail

  • On fw01 monitor logs with tail -f /var/log/messages | grep WAN

    • Try the failed connection again; you should get a failed message on fw01

circle-info

This screenshot indicates

  1. That the default drop rule for WAN-TO-DMZ via eth0 was invoked.

  2. The source ip is rw01

  3. The destination ip is web01

  4. The protocol was TCP

Deliverable 1: Provide a screenshot showing a [WAN-TO-DMZ-default-D] log entry similar to the one above.

hashtag
Allow HTTP Inbound

Allow HTTP traffic by creating a rule for the WAN-to-DMZ firewall. Use your IP address for web01

hashtag
Testing

Try connecting to web01 via http, it should fail

circle-info

The communication was stopped on the way back out, not on the way in. We need to explicitly tell the DMZ-TO-WAN firewall to allow established connections initiated from the WAN back out again.

hashtag
Allowing http-established connections back out

circle-info

We will reserve rule 1 for two conditions. The first is to allow established connections back out again, the second would be to have an open rule where all connections are allowed. Typically this would be the only rule in such a firewall.

hashtag
Deliverable 2: Take a screenshot that shows a failed wget or curl (1) followed by a successful connection to your web server. Make sure you've deleted the default welcome.conf file, you've restarted httpd and have added a simple index.html banner as shown in (2).

hashtag
Create a simple web page

  • Go to web01

  • Comment out all the lines in the welcome.conf file in /etc/httpd/conf.d

  • Go to /var/www/html

  • sudo nano index.html and make your webpage

  • Reload your webpage; you should be able to connect to it now!

  • You should also be able to run the wget command and be successful.

hashtag
DMZ and LAN Traffic Firewalls

We are going to continue our firewalling by creating default firewalls for LAN and DMZ and link them to zone policies.

circle-info

hashtag
Wazuh Ports 1515/TCP and 1516/TCP

Currently the firewall rules drop all traffic except port 80 to web01 from the WAN. Currently, the wazuh traffic doesn’t work between DMZ and LAN. The Wazuh server expects clients to connect to it via tcp/1514 and tcp/1515.

hashtag
DMZ to LAN

hashtag
Deliverable 3: Provide a screenshot similar to the one above of /var/log/messages on fw01 that shows a drop message like the one below, make sure you select the message that indicated PROTO=TCP and DPT=1514 or 1515

hashtag
Allow Wazuh agent communications

Ping 172.16.200.10 (wazuh) so it fails

Create filewall rules that allow ports 1514 and 1515 TCP through the DMZ-to-LAN firewall.

Deliverable 4. Provide a screenshot of your new LAN-to-DMZ rule 1 that allows established connections back through the LAN-to-DMZ firewall.

hashtag
Configure WAN-to-LAN firewall

Create the WAN-TO-LAN firewall, link it to the appropriate zones and allow established connections back from WAN to LAN

hashtag
Configure LAN-TO-WAN Firewall

Create a default LAN to WAN firewall and associate it with the appropriate zone policy.set f This firewall will have only one rule allowing LAN clients to initiate WAN connections.

hashtag
Deliverable 5: Submit a screenshot showing a LAN-TO-WAN browsing session between wks01 and champlain.edu

hashtag
Configure LAN to DMZ Firewall

As communication between LAN and DMZ is currently broken, I need to:

  • Create a firewall

  • Assign to the appropriate zone policy

  • Adjust it to only allow the traffic we want to go through.

  • Goal: Want wks01 to be able to browse to web01 and want mgmt01 to ssh into anything on the DMZ.

With that in mind, I need to create firewall rules on LAN-TO-DMZ that allows:

  • 80/tcp from LAN to web01.

  • 22/tcp from mgmt01 to the DMZ

Deliverable 6: Screenshot showing web session between wks01 and web01.

hashtag
Deliverable 7. ssh into web01 from using the username testwazuhafterfirewall. Attempt this until the session is closed by web01. Provide a screenshot similar to the one below that shows a related security event in wazuh, after fw1 was configured.

hashtag
Task 2: Configuring fw-mgmt

hashtag
Create LAN and MGMT zones on fw-mgmt

hashtag
LAN-to-MGMT

hashtag
MGMT-to-LAN

Deliverable 8. Show the correct connections from mgmt02-hanne '

The ping to champlain.edu doesn't work because we didn't configure a rule on fw-mgmt for LAN-to-WAN connections. We can connect with the web server on 172.16.50.3 because we made a MGMT-to-LAN to rule and then also an MGMT-to-DMZ rule. We can connect to mgmt01 because we made a MGMT-to-LAN rule.

Deliverable 9. Provide the output of show zone on fw-mgmt

Deliverable 10. Provide the output of show firewall name LAN-TO-MGMT

Deliverable 11. Provide the output of show firewall name MGMT-TO-LAN

Deliverable 12. From mgmt01, Run an ssh test on web01 with a tag that indicates that this is a test of fw-mgmt. Take a screenshot of the resulting log within wazuh.

PreviousModule 4: Network FirewallsNextModule 5: Wazuh and Web Application Firewalls

Last updated