Methods for Securing Hardware and Software

12591 words (50 pages) Assignment

18th Jul 2019 Assignment Reference this

Tags:

Disclaimer: This work has been submitted by a university student. This is not an example of the work produced by our Assignment Writing Service. You can view samples of our professional work here.

Any opinions, findings, conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of UKEssays.com.

CompTIA Security +

Security Portfolio Practical

Table of Contents

Aim and Objectives…………………………………………………………………………………………………………………………3

Task 1 Active Directory, DNS and Print Services………………………………………………………………………………….4

Task 2 Exchange Server………………………………………………………………………………………………………………….32

Task 3 Barracuda Spam Filter………………………………………………………………………………………………………….39

Task 4 Microsoft Office Outlook……………………………………………………………………………………………………..44

Task 5 Site-to-site VPN…………………………………………………………………………………………………………………..55

Task 6 Radius Server AAA……………………………………………………………………………………………………………….60

Task 7 TACACS + Server AAA…………………………………………………………………………………………………………..64

Task 8 Vulnerability Assessment……………………………………………………………………………………………………..66

Task 9 NVD – National Vulnerability Database……………………………………………………………………………………71

Task 10 CISCO Intrusion Prevention Configuration……………………………………………………………………………73

Task 11 CISCO Context Based Access Firewall…………………………………………………………………………………..77

Task 12 CISCO Zone Based firewall………………………………………………………………………………………………….80

Task 13 Fortinet Unified Threat Management………………………………………………………………………………….84

Task 14 Cyberoam Unified Threat management……………………………………………………………………………….87

Recommendation……………………………………………………………………………………………………………………………………92

REFERENCES …………………………………………………………………………………………………………………………………………..93

 

Aim

 

The aim of this assessment is to discuss the methods on securing hardware and software in an environment.

Objectives:

 

  • To explain how to install and configure windows network
  • To discuss the firewall installation and IDS correctly
  • To deliberate the use of mail server
  • To enable remote access
  • To outline the five vulnerabilities found in computer
  • To demonstrate blocked vulnerabilities
  • To make a demonstration of VPN

Task 1 Active Directory, DNS and Print Server

Active Directory is designed by Microsoft for directory services and is part of Windows 2000 architecture. It is a standard system for network management for user’s data, security and resources. It has a minimum system requirement which is 1.4GHz, 512MB RAM, 64GB disk space and an ethernet adapter. [1] Rouse. (2016).

Steps on how to setup an Active Directory:

  1.  Open the Server Manager from the windows start button.

C:UsersAdministratorAppDataLocalMicrosoftWindowsINetCacheContent.WordScreenHunter_295 Nov. 07 09.58.jpg

Figure 1.1 Dashboard of Server Manager

  1. In the deployment configuration select the “Add a domain controller”

C:UsersAdministratorAppDataLocalMicrosoftWindowsINetCacheContent.WordScreenHunter_296 Nov. 07 09.58.jpg

Figure 1.2 Deployment Configuration – Adding a domain

  1. In the deployment configuration select the “Add new Forest”

C:UsersAdministratorAppDataLocalMicrosoftWindowsINetCacheContent.WordScreenHunter_297 Nov. 07 09.58.jpg

Figure 1.3 Deployment Configuration – Adding a new Forest

  1. In the Root domain name below the domain information type the desired root domain name.

C:UsersAdministratorAppDataLocalMicrosoftWindowsINetCacheContent.WordScreenHunter_299 Nov. 07 09.59.jpg

Figure 1.4 Specifying the Root domain name

  1. In the domain controller option type the desired password and confirm your password.

C:UsersAdministratorAppDataLocalMicrosoftWindowsINetCacheContent.WordScreenHunter_301 Nov. 07 10.00.jpg

Figure 1.5 Domain Controller dialog box

  1. Additional option for adding the NetBIOS domain name

C:UsersAdministratorAppDataLocalMicrosoftWindowsINetCacheContent.WordScreenHunter_303 Nov. 07 10.02.jpg

Figure 1.6 Adding NetBIOS domain name

  1. Selection of paths where to put the AD DS database log files

C:UsersAdministratorAppDataLocalMicrosoftWindowsINetCacheContent.WordScreenHunter_305 Nov. 07 10.03.jpg

Figure 1.7 Location of the AD DS database log files

  1. Reviewing the options for the selected active directory domain services

C:UsersAdministratorAppDataLocalMicrosoftWindowsINetCacheContent.WordScreenHunter_307 Nov. 07 10.03.jpg

Figure 1.8 Review selection

  1. Checking the installation guide before installing all desired settings

C:UsersAdministratorAppDataLocalMicrosoftWindowsINetCacheContent.WordScreenHunter_309 Nov. 07 10.07.jpg

Figure 1.9 Prerequisites check

  1. Once installed, verify the username and password.

C:UsersAdministratorAppDataLocalMicrosoftWindowsINetCacheContent.WordScreenHunter_314 Nov. 07 10.24.jpgC:UsersAdministratorAppDataLocalMicrosoftWindowsINetCacheContent.WordScreenHunter_315 Nov. 07 10.28.jpg

Figure 1.10 Windows Server Login page

  1. In the network and sharing centre, go to change adapter settings then go to properties.

C:UsersAdministratorAppDataLocalMicrosoftWindowsINetCacheContent.WordScreenHunter_318 Nov. 07 11.07.jpg

Figure 1.11 Ethernet properties

  1. Once the properties are clicked, enter the desired IP address, subnet mask and default gateway.

C:UsersAdministratorAppDataLocalMicrosoftWindowsINetCacheContent.WordScreenHunter_320 Nov. 07 11.08.jpg

Figure 1.12 Internet protocol TCP and IPv4 properties

  1. Domain controller has been set together with the IP addresses.

C:UsersAdministratorAppDataLocalMicrosoftWindowsINetCacheContent.WordScreenHunter_323 Nov. 07 11.10.jpg

Figure 1.13 Network and Sharing Center

  1. Editing the Computer Name/Domain and joining in the domain

C:UsersAdministratorAppDataLocalMicrosoftWindowsINetCacheContent.WordScreenHunter_329 Nov. 07 12.10.jpg

Figure 1.14 Domain name changes

  1. In the Server Manager, choose the Active Directory and Users

C:UsersAdministratorAppDataLocalMicrosoftWindowsINetCacheContent.WordScreenHunter_332 Nov. 07 12.18.jpg

Figure 1.15 Server Manager GUI

  1. In the Active directory users and computers, you can find all the list information about the domain.

C:UsersAdministratorAppDataLocalMicrosoftWindowsINetCacheContent.WordScreenHunter_334 Nov. 07 12.22.jpg

Figure 1.16 Active directory users and computers

  1. In the Active directory users and computers, add New Object then type the desired name.

C:UsersAdministratorAppDataLocalMicrosoftWindowsINetCacheContent.WordScreenHunter_339 Nov. 07 12.32.jpg

Figure 1.17 New Object Dialog box

  1. As you could see the ITD was added to the Active Directory Users

C:UsersAdministratorAppDataLocalMicrosoftWindowsINetCacheContent.WordScreenHunter_344 Nov. 07 12.52.jpg

Figure 1.18

  1. Filling up the New Object to be created in the ITD domain

C:UsersAdministratorAppDataLocalMicrosoftWindowsINetCacheContent.WordScreenHunter_350 Nov. 07 13.38.jpg

Figure 1.19a New Object fill-up dialog box

C:UsersAdministratorAppDataLocalMicrosoftWindowsINetCacheContent.WordScreenHunter_351 Nov. 07 13.39.jpg

Figure 1.19b New Object was created successfully

  1. Creating the group name for the new object

C:UsersAdministratorAppDataLocalMicrosoftWindowsINetCacheContent.WordScreenHunter_365 Nov. 07 14.32.jpg

Figure 1.20 New Object – Group

  1. Manager was successfully added to the ITD domain

C:UsersAdministratorAppDataLocalMicrosoftWindowsINetCacheContent.WordScreenHunter_362 Nov. 07 14.22.jpg

Figure 1.21 Active Directory – Bryan David and Manager

Print Server

  1. Download a copy of the HP printer installer from the official HP website.

C:UsersAdministratorAppDataLocalMicrosoftWindowsINetCacheContent.WordScreenHunter_379 Nov. 08 09.55.jpg

Figure 1.1.1 HP website

  1. From the HP website, download the installer of the selected printer.

C:UsersAdministratorAppDataLocalMicrosoftWindowsINetCacheContent.WordScreenHunter_380 Nov. 08 09.57.jpg

Figure 1.1.2HP installer

  1. This will be the .exe file of the HP printer installer

C:UsersAdministratorAppDataLocalMicrosoftWindowsINetCacheContent.WordScreenHunter_389 Nov. 08 10.03.jpg

Figure 1.1.3 HPePrintAPPx64bit

  1. In the server manager, select the add role and features.

C:UsersAdministratorAppDataLocalMicrosoftWindowsINetCacheContent.WordScreenHunter_396 Nov. 08 11.15.jpg

Figure 1.1.4Server Manager dashboard

  1. Adding roles and features wizard for the HP printer

C:UsersAdministratorAppDataLocalMicrosoftWindowsINetCacheContent.WordScreenHunter_397 Nov. 08 11.16.jpg

Figure 1.1.5Roles and features wizard

  1. Select the role-based or feature-based installation for the print server.

C:UsersAdministratorAppDataLocalMicrosoftWindowsINetCacheContent.WordScreenHunter_398 Nov. 08 11.16.jpg

Figure 1.1.6Installation type for HP printer server

  1. In the server selection, select a server from the server pool.

C:UsersAdministratorAppDataLocalMicrosoftWindowsINetCacheContent.WordScreenHunter_399 Nov. 08 11.16.jpg

Figure 1.1.7 Server Selection

  1. Add the print and document services as the feature for the HP printer.

C:UsersAdministratorAppDataLocalMicrosoftWindowsINetCacheContent.WordScreenHunter_400 Nov. 08 11.16.jpg

Figure 1.1.8 Add roles and feature wizard

  1. In the print and document services, click next.

C:UsersAdministratorAppDataLocalMicrosoftWindowsINetCacheContent.WordScreenHunter_401 Nov. 08 11.17.jpg

Figure 1.1.9 Print and document services

  1.  Tick the Print server, scan server and internet printing for the role of HP print services.

C:UsersAdministratorAppDataLocalMicrosoftWindowsINetCacheContent.WordScreenHunter_402 Nov. 08 11.17.jpg

Figure 1.1.10 role services for the HP printer

  1. In the Web server role(IIS), click next.

C:UsersAdministratorAppDataLocalMicrosoftWindowsINetCacheContent.WordScreenHunter_403 Nov. 08 11.17.jpg

Figure 1.1.11 Web server role (IIS)

  1. Select all role services for the Print server desired.

C:UsersAdministratorAppDataLocalMicrosoftWindowsINetCacheContent.WordScreenHunter_404 Nov. 08 11.17.jpg

Figure 1.1.12 Web server for role service

  1. For the confirmation of the roles and features, review all selected and desired roles to be added.

C:UsersAdministratorAppDataLocalMicrosoftWindowsINetCacheContent.WordScreenHunter_405 Nov. 08 11.17.jpg

Figure 1.1.13 Confirmation of roles and features

  1. The result for the roles and features together with the installation of all roles added.

C:UsersAdministratorAppDataLocalMicrosoftWindowsINetCacheContent.WordScreenHunter_406 Nov. 08 11.18.jpg

Figure 1.1.14 Result dialog box for the roles and features

  1. In the server manager, select the print management.

C:UsersAdministratorAppDataLocalMicrosoftWindowsINetCacheContent.WordScreenHunter_431 Nov. 08 12.17.jpg

Figure 1.1.15Print management dropdown list

  1. In the print management, select filters, All printers.

C:UsersAdministratorAppDataLocalMicrosoftWindowsINetCacheContent.WordScreenHunter_432 Nov. 08 12.17.jpg

Figure 1.1.16 Print management

  1. In the all printers’ dropdown list, select the desired printer.

C:UsersAdministratorAppDataLocalMicrosoftWindowsINetCacheContent.WordScreenHunter_433 Nov. 08 12.18.jpg

Figure 1.1.17 All printers

  1. Click the downloaded printer installer from the files downloaded.

C:UsersAdministratorAppDataLocalMicrosoftWindowsINetCacheContent.WordScreenHunter_434 Nov. 08 12.18.jpg

Figure 1.1.18 Printer installer

  1. The HP ePrint installer, click install.

C:UsersAdministratorAppDataLocalMicrosoftWindowsINetCacheContent.WordScreenHunter_435 Nov. 08 12.19.jpg

Figure 1.1.19installer for the HP printer

  1. The HP printer installer will install automatically.

C:UsersAdministratorAppDataLocalMicrosoftWindowsINetCacheContent.WordScreenHunter_436 Nov. 08 12.19.jpg

Figure 1.1.20 HP printer installer

  1. The HP printer installation is successful

C:UsersAdministratorAppDataLocalMicrosoftWindowsINetCacheContent.WordScreenHunter_437 Nov. 08 12.21.jpg

Figure 1.1.21 Printer installation

  1. Go back to the print management to select the desired printer.

C:UsersAdministratorAppDataLocalMicrosoftWindowsINetCacheContent.WordScreenHunter_438 Nov. 08 12.22.jpg

Figure 1.1.22Print management

  1. The HP printer will appear in the print management.

C:UsersAdministratorAppDataLocalMicrosoftWindowsINetCacheContent.WordScreenHunter_439 Nov. 08 12.22.jpg

Figure 1.1.23 HP printer in the print management

  1. In the deploy with group policy, browse the group policy object name.

C:UsersAdministratorAppDataLocalMicrosoftWindowsINetCacheContent.WordScreenHunter_440 Nov. 08 12.22.jpg

Figure 1.1.24 Deploy with GP

  1. In the browse for GPO, select the desired domain name.

C:UsersAdministratorAppDataLocalMicrosoftWindowsINetCacheContent.WordScreenHunter_441 Nov. 08 12.22.jpg

Figure 1.1.25 Browse GPO

  1. Select the Printer Group Policy with the domain ‘bryan.com’

C:UsersAdministratorAppDataLocalMicrosoftWindowsINetCacheContent.WordScreenHunter_442 Nov. 08 12.23.jpg

Figure 1.1.26 Browse GPO

  1. In the deploy with GP, add the bry GPO.

C:UsersAdministratorAppDataLocalMicrosoftWindowsINetCacheContent.WordScreenHunter_443 Nov. 08 12.23.jpg

Figure 1.1.27 deploy with GP

  1. Printer deployment is successful

C:UsersAdministratorAppDataLocalMicrosoftWindowsINetCacheContent.WordScreenHunter_444 Nov. 08 12.23.jpg

Figure 1.1.28 Print management dialog box

  1.  Verification for the successful printer deployment

C:UsersAdministratorAppDataLocalMicrosoftWindowsINetCacheContent.WordScreenHunter_445 Nov. 08 12.24.jpg

Figure 1.1.29 deployment successful dialog box

  1. HP eprint is successfully configured.

C:UsersAdministratorAppDataLocalMicrosoftWindowsINetCacheContent.WordScreenHunter_446 Nov. 08 12.24.jpg

Figure 1.1.30 print management dialog box

  1. In the HP printer, right click then click the properties.

C:UsersAdministratorAppDataLocalMicrosoftWindowsINetCacheContent.WordScreenHunter_447 Nov. 08 12.25.jpg

Figure 1.1.31 properties of the HP printer

  1. In the properties, select the security tab.

C:UsersAdministratorAppDataLocalMicrosoftWindowsINetCacheContent.WordScreenHunter_448 Nov. 08 12.25.jpg

Figure 1.1.32 security tab for the HP printer properties

  1. In the security tab of the HP printer, select the administrator then tick the allow button for the print, manage the printer and manage documents.

C:UsersAdministratorAppDataLocalMicrosoftWindowsINetCacheContent.WordScreenHunter_4448 Nov. 08 12.25.jpg

Figure 1.1.33 permission for administrator

Task 2 Exchange Server

Exchange server is a Microsoft product for messaging system that includes mail server, email client and groupware application. It is mainly design for companies for the employees to share information easily via taking advantage of Outlook server such that the company’s calendar and contact lists are always in sync. Minimum requirement for the exchange server is as follows: 64-Bit processor, 512GB RAM, 64GB disk space and an ethernet adapter. [2] Microsoft. (2017).

Setup Procedure:

  1. Install Windows Server.
  2. Insert the DVD installer for MS Exchange and use command prompt and enter the following commands:

d:, dir, cd exch…

Figure 2.1 CMD installation of exchange server

  1. Inside the drive D (installer disk) type in the following commands:

setup /prepareschema

setup /prepareAD /OrganizationName:Avonmore

setup /PrepareAllDomains

  1. Open PowerShell and type in the command below:

Import-Module ServerManager

Add-WindowsFeature NET-Framework,RSAT-ADDS,Web-Server,Web-Basic-Auth,Web-Windows-Auth,Web-Metabase,Web-Net-Ext,Web-Lgcy-Mgmt-Console,WAS-Process-Model,RSAT-Web-Server,Web-ISAPI-Ext,Web-Digest-Auth,Web-Dyn-Compression,NET-HTTP-Activation,Web-Asp-Net,Web-Client-Auth,Web-Dir-Browsing,Web-Http-Errors,Web-Http-Logging,Web-Http-Redirect,Web-Http-Tracing,Web-ISAPI-Filter,Web-Request-Monitor,Web-Static-Content,Web-WMI,RPC-Over-HTTP-Proxy –Restart

Set-Service NetTcpPortSharing –StartupType Automatic

  1. Install the office filter pack found inside the cd installer.
  2. Install exchange server 2010

Figure 2.2 Installation of exchange server

  1. In the Exchange server 2010 setup, click next.

Figure 2.3 Introduction

  1. In the installation type, select the typical exchange server installation.

Figure 2.4 Installation type

  1. In the exchange organization, type your desired name.

Figure 2.5 Exchange Organization

  1. In the client setting select’No’.

Figure 2.6 Client Setting

  1. Type your desired name for your client access.

Figure 2.7 Configure Client Access Server external domain

  1. Select the “I don’t wish to join the program at this time”

Figure 2.8 Customer Experience Improvement Program

  1.  In the readiness checks, review all the selected mode before installation.

Figure 2.9 Readiness Checks

  1. Upon completion, click finish.

Figure 2.10 Completion

Configuring Mailbox Roles

In this setup, we are going to configure the Exchange server to perform multiple in order for our users to send and receive emails. We need to include the following: (1) Hub transport – responsible for routing messages (2) Client Access – offers all available protocol access to mailboxes (3) Mailbox – this contains the mailboxes and public folders. We need these three roles for the Exchange Management Console to make the necessary changes.

  1. Open Exchange Management Console and choose Organization Configuration on the left pane. Select your server and click New Mailbox Database on the right.

Figure 2.11 Exchange Management Console

  1. Follow the onscreen instruction on setting the location for the database and click on Finish once done.

Figure 2.12 New Mailbox Database

Sending and receiving emails via web browser:

  1. To access the web mail, we simply go type in the URL of the server and add /owa on the address.

Figure 2.13 Outlook Web App

  1. Upon successful login the user will be presented by an Outlook Web App and he can then start sending and receiving emails.

Figure 2.14 Email Test

Task 3 Barracuda Spam Filter

Barracuda Spam Filter is an integrated software and hardware solution to protect the email server from virus, spam, spoofing and spyware attacks.  [3] Barracuda. (2017).

These are the steps for the users on how to setup:

  1. Login to Barracuda Spam Filter as administrator and add the IP configuration, DNS, and domain name of the email server admincore.com

Figure 3.1 Basic Set up for Email Security

Figure 3.2 Email server Setup

Figure 3.3 Virus and Spam protection

  1. Setup the quarantine procedure for emails that contain spam and viruses.

Figure 3.4 All inbound setting for email protection

  1. Updates allows the spam filter system to determine incomming spam threats

Figure 3.5 Updates for barracuda Part 1

Figure 3.6 Updates for barracuda Part 2

  1. The Domain tab will allow to add allow or block domain.

Figure 3.7 Domain manager

  1. Spam Scoring Limit will limit the block, quarantined and tag mails.

Figure 3.8 Inbound and outbound Spam scoring limits

  1. The Rate Control will allow the administrators to set connections per IP address allowed.

Figure 3.9 Rate Control

  1. Sender Filters will filter all mails incoming to the mail server.

Figure 3.10 Incoming email filters

Task 4 Microsoft Office Outlook

Microsoft Office Outlook is an information manager for Microsoft. It includes email application, calendar, contacts list, notepad, journal and also web browsing. It can be used with exchange server, SharePoint server or a stand-alone program. It is commonly used as the email server for all companies worldwide as it is easy to use and has a lot of function. [4] Rouse. (2012).

Steps on how to manage MS Outlook:

  1. In the start button of the windows server select the Microsoft Outlook 2010.

ScreenHunter_455 Nov. 09 11.52

Figure 4.1 Microsoft Outlook 2010

  1. In the control panel, look for the Mail setup – Outlook

ScreenHunter_456 Nov. 09 11.57

Figure 4.2 Mail Setup – Outlook

  1. Selectin the account settings for the email

ScreenHunter_457 Nov. 09 11.58

Figure 4.3 Account settings for Outlook

  1. Then add new account, select manually configure server settings.

ScreenHunter_458 Nov. 09 11.58

Figure 4.4 Add new Account dialog box

  1. Select the Internet E-mail in the add new account settings.

ScreenHunter_459 Nov. 09 11.58

Figure 4.5 Add new Account dialog box

  1. Type the desired user information, server information and logon information, the click next.

ScreenHunter_460 Nov. 09 11.59

Figure 4.6 User, server and logon information for the New account

  1. Type this URL ‘https://help.yahoo.com/kb/SLN4724.html”This information is important to setup the email for the outlook

ScreenHunter_461 Nov. 09 12.00

Figure 4.7 Yahoo mail POP setting

  1. After setting up the new account. Click next.

C:UsersAdministratorAppDataLocalMicrosoftWindowsINetCacheContent.WordScreenHunter_467 Nov. 09 12.04.jpg

Figure 4.8 Add new account information

  1. Type your desired email address in the internet E-mail settings

ScreenHunter_468 Nov. 09 12.04

Figure 4.9 internet E-mail settings

  1. In the outgoing server, select the “same settings as my incoming mail server”.

ScreenHunter_464 Nov. 09 12.01

Figure 4.10 Internet e-mail setting for the outgoing server

  1. Go to the advanced setting then copy the information from the POP yahoo mail setting.

ScreenHunter_465 Nov. 09 12.02

Figure 4.11 Advanced setting for the e-mail

  1. Be sure to test the account settings to verify the email services.

ScreenHunter_471 Nov. 09 12.13

Figure 4.12 test account settings

  1. As you could see all the emails are in the e-mail list accounts.

ScreenHunter_478 Nov. 09 12.21

Figure 4.13 email settings

  1. In the data files, we could see the location of the email.

ScreenHunter_479 Nov. 09 12.22

Figure 4.14 data files of the email

  1. Official dashboard for the outlook which contains all email in one program.

ScreenHunter_480 Nov. 09 12.22

Figure 4.15 Microsoft Outlook

  1. Click in the New email to test the email server/

ScreenHunter_481 Nov. 09 12.23

Figure 4.16 pop up window for the email

  1. Email setup for the [email protected] which includes all information.

ScreenHunter_484 Nov. 09 12.24

Figure 4.17 Microsoft outlook

  1. Testing client to client email

ScreenHunter_486 Nov. 09 12.25

Figure 4.18 email test

  1. The test is currently progressing since the email will be sent to the client.

ScreenHunter_482 Nov. 09 12.23

ScreenHunter_487 Nov. 09 12.25

Figure 4.19 MS outlook dashboard

  1. Microsoft outlook test message in the Yahoo mail website.

4.20 Yahoo mail

  1. Test email for the client to client email server

Figure 4.21 client to client email server

Task 5 Site-to-site VPN

Using VPN for the router in CISCO network provides more secured connection of transmitting data over public network. It can reduce the overpriced costs of leased lines. For the site-to-site VPNs it will provide a tunnel using IPsec between two branches of offices. Another use of site to site VPN is the remote access for the client and server for small offices.

Site to site VPN topology

 

Device Interface IP Address Subnet Mask Default Gateway Switch Port
R1 FA 0/1 192.168.1.1 255.255.255.0 N/A SW1 FA0/1
S0/0/0 (DCE) 10.1.1.1 255.255.255.252 N/A N/A
R2 S0/0/0 10.1.1.2 255.255.255.252 N/A N/A
S0/0/1 (DCE) 10.2.2.2 255.255.255.252 N/A N/A
R3 FA0/0 192.168.3.1 255.255.255.0 N/A SW2 FA0/1
S0/0/1 10.2.2.1 255.255.255.252 N/A N/A
PC-A NIC 192.168.1.3 255.255.255.0 192.168.1.1 SW1 FA0/2
PC-B NIC 192.168.3.3 255.255.255.0 192.168.3.1 SW2 FA0/2

Router 1 Configuration

hostname R1

!

cryptoisakmp policy 10

encraes 256

authentication pre-share

group 5

lifetime 3600

!

cryptoisakmp key cisco123 address 10.2.2.1

!

cryptoipsec security-association lifetime seconds 1800

!

cryptoipsec transform-set 50 esp-aes 256 esp-sha-hmac

!

crypto map CMAP 10 ipsec-isakmp

set peer 10.2.2.1

setpfs group5

set security-association lifetime seconds 900

set transform-set 50

match address 101

!

interface FastEthernet0/0

ip address 192.168.1.1 255.255.255.0

duplex auto

speed auto

!

interface Serial0/0/0

ip address 10.1.1.1 255.255.255.252

clock rate 64000

crypto map CMAP

!

routereigrp 100

network 192.168.1.0

network 10.1.1.0 0.0.0.3

no auto-summary

!

access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255

!

line con 0

exec-timeout 5 0

password 7 0822455D0A165445415F59

logging synchronous

login

!

linevty 0 4

exec-timeout 5 0

password 7 0822455D0A165445415F59

login

!

end

Router 2

hostname R2

!

interface Serial0/0/0

ip address 10.1.1.2 255.255.255.252

!

interface Serial0/0/1

ip address 10.2.2.2 255.255.255.252

clock rate 64000

!

routereigrp 100

network 10.1.1.0 0.0.0.3

network 10.2.2.0 0.0.0.3

no auto-summary

!

end

Router 3

hostname R3

!

cryptoisakmp policy 10

encraes 256

authentication pre-share

group 5

lifetime 3600

!

cryptoisakmp key cisco123 address 10.1.1.1

!

cryptoipsec security-association lifetime seconds 1800

!

cryptoipsec transform-set 50 esp-aes 256 esp-sha-hmac

!

crypto map CMAP 10 ipsec-isakmp

set peer 10.1.1.1

setpfs group5

set security-association lifetime seconds 900

set transform-set 50

match address 101

!

interface FastEthernet0/0

ip address 192.168.3.1 255.255.255.0

duplex auto

speed auto

!

interface Serial0/0/1

ip address 10.2.2.1 255.255.255.252

crypto map CMAP

!

routereigrp 100

network 10.2.2.0 0.0.0.3

network 192.168.3.0

no auto-summary

!

access-list 101 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255

!

line con 0

exec-timeout 5 0

password 7 0822455D0A165445415F59

logging synchronous

login

!

linevty 0 4

exec-timeout 5 0

password 7 0822455D0A165445415F59

login

!

End

Check:

Router 1

 

As you could see in the CLI of the R1 all the connection of the inbound and outbound is ACTIVE

E:assessment 3 screenshot
1 1.JPG

Router 3

As you could see in the CLI of the R3 all the connection of the inbound and outbound is ACTIVE

E:assessment 3 screenshot
3 1.JPG

Task 6 Radius Server AAA

 

For basic authentication, AAA or the Authentication, authorization and accounting can be configured to access the local database for client logins. It will be difficult since it must be configured in every router. To take full advantage of the AAA, radius server AAA will be used. When the client attempts to login in the router, the router will show the router references to the external server database for verification that the client is using a valid username and password.

Topology for the radius Server AAA

 

Device Interface IP Address Subnet Mask Default Gateway Switch Port
R1 FA0/1 192.168.1.1 255.255.255.0 N/A S1 FA0/5
  S0/0/0 (DCE) 10.1.1.1 255.255.255.252 N/A N/A
R2 S0/0/0 10.1.1.2 255.255.255.252 N/A N/A
  S0/0/1 (DCE) 10.2.2.2 255.255.255.252 N/A N/A
R3 FA0/1 192.168.3.1 255.255.255.0 N/A S3 FA0/5
  S0/0/1 10.2.2.1 255.255.255.252 N/A N/A
PC-A NIC 192.168.1.3 255.255.255.0 192.168.1.1 S1 FA0/6
PC-C NIC 192.168.3.3 255.255.255.0 192.168.3.1 S3 FA0/18

 

E:assessment 3 screenshotaaabryan.JPG

For the Radius server AAA, you can simply configure the users and keys from host that will use for authentication.

Router Configuration

 

Router 1

hostname R1

!

enable secret 5 $1$mERr$WvpW0n5HghRrqnrwXCUUl.

!

aaa new-model

!

aaa authentication login default group radius none

!

no ip cef

no ipv6 cef

!

no ip domain-lookup

!

spanning-tree mode pvst

!

interface FastEthernet0/0

ip address 192.168.1.1 255.255.255.0

duplex auto

speed auto

!

interface Serial0/0/0

ip address 10.1.1.1 255.255.255.252

clock rate 64000

!

router eigrp 100

network 192.168.1.0

network 10.1.1.0 0.0.0.3

no auto-summary

!

ip classless

!

ip flow-export version 9

!

radius-server host 192.168.1.3 auth-port 1645 key ciscoaaapass

!

line con 0

exec-timeout 5 0

password 7 0822455D0A165445415F59

logging synchronous

!

line vty 0 4

exec-timeout 5 0

password 7 0822455D0A165445415F59

!

end

 

Verification

 

 

 

E:assessment 3 screenshotusername bryan.JPG

In the running configuration, the router will connect to the radius server for verification in the login console oof the router.

 

 

 

E:assessment 3 screenshot	elnet bryan.JPG

 

Using telnet, the client computer could connect to the router using RADIUS authentication.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Task 7 TACACS + Server AAA

TACACS or the Terminal Access Controller Access-Control System Plus is a protocol from CISCO systems and was released I 1993. TACACS+ don’t implements transmission control. Compared to the Radius, which encrypts only the user’s password as it travels from one client to another client. All other information in Radius will be able to see so it is vulnerable compared to TACACS+. In TACACS+, it encrypts all information including all other information traveling in the network.

Topology for the TACACS+ server AAA

E:assessment 3 screenshotryantacacs.JPG

 

TACACS+ configuration

 

hostname R2

!

enable secret 5 $1$mERr$WvpW0n5HghRrqnrwXCUUl.

!

Username bryan secret 5 $1$mERr$WvpW0n5HghRrqnrwXCUUl.

!

interface Serial0/0/0

ip address 10.1.1.2 255.255.255.252

!

interface Serial0/0/1

ip address 10.2.2.2 255.255.255.252

clock rate 64000

!

router eigrp 100

network 10.1.1.0 0.0.0.3

network 10.2.2.0 0.0.0.3

no auto-summary

!

tacacs-server host 192.168.1.3 key tacacspass

!

login local

!

line aux 0

!

line vty 0 4

!

end

Verification:

This router will use TACACS+ on server 192.168.1.3 and the information inputed on the username and password will be verified.

E:assessment 3 screenshotusername bryan.JPG

Task 8 Vulnerability Assessment using GFI Languard

GFI Languard is used for scanning network security and patching management solution. It provides a complete platform of your network setup, risk analysis and maintains a secure and compliant network. This process includes scanning the network to discover all your devices connected in the network including mobile devices and search for security issues. All devices can be managed either by performing remotely with agent or none. For a remote agentless scan, specify first your target devices scanning profile that indicates what to look for, enter proper authorizations. [5] GFI. (n.d.).

Steps on how to setup and use GFI Languard:

1.       Alerting Options of GFI Languard can be found by logging to the console.

Figure 8.1 Alerting option configuration

  1. Setup an email address where the alert will be coming from and also specify a recipient.

Figure 8.2 General setup for email addresses

  1. Next is the vulnerability assessment settings. It will provide an option which profile will be scanned and activate high security vulnerabilities.

Figure 8.3 Profile options for vulnerability assessment

  1. The profiles selected can be edited so that administrators can add and remove different items that would be included or excluded on the scan.

Figure 8.4 Vulnerabilities profiles

  1. Network and software auditing for the administrator based on the profile chosen.

Figure 8.5 Each profile can be further customized to best fit the requirement of the organization.

Figure 8.6 Scanning options for network and software audit

  1. Scheduling a scan for GFI Languard makes vulnerability scanning an easy for administrators. It offers a Scheduled Scan option to perform scan at specific date and time.

Figure 8.7 Performing scheduled scan

Figure 8.8 Type of scan desired

C:UsersAdministratorAppDataLocalMicrosoftWindowsINetCacheContent.Word8.9.png

Figure 8.9 specific day and time to avoid affecting user’s productivity

Figure 8.10 Successful scheduled scan

Task 9 NVD – National Vulnerability Database

NVD is the U.S. government source of standards from NIST – National Institute of Standards and Technology based on vulnerability management data characterized using the Security Content Automation Protocol (SCAP). The data from NVD enables automation of security administration, vulnerability dimension, and acquiescence. NVD includes database of checklists in security and software flaws, malfunctions, merchandise names, and impact metrics. [6] NVD. (2017, October).

Here are 5 vulnerabilities that are listed on the website:

1.       CVE-2017-16543 Detail

  • It is for Zoho ManageEngine Applications Manager 13 that permits SQL injection via GraphicalView.do using crafted viewProps yCanvas field.
Source: MITRE Last Modified: 11/05/2017
US-CERT/NIST Original release date: 11/05/2017
  1. CVE-2017-16545 Detail
  • It is the ReadWPGImage purpose in coders/wpg.c in GraphicsMagick 1.3.26 malfunction to validate colormapped images and allows remote attackers to have a DoS or probably have unnamed other causes via malformed image.
Source: MITRE Last Modified: 11/05/2017
US-CERT/NIST Original release date: 11/05/2017
  1. CVE-2017-16546 Detail
  • It is the ReadWPGImage purpose in coders/wpg.c in ImageMagick 7.0.7-9 malfuntion to validate the colormap index in a WPG palette and allows remote attackers to cause DoS or probably have unnamed other causes via malformed file.
Source: MITRE Last Modified: 11/05/2017
US-CERT/NIST Original release date: 11/05/2017
  1. CVE-2017-16547 Detail
  • It is the DrawImage purpose in magick/render.c in GraphicsMagick 1.3.26 malfuntion to look for popup keywords that are liked with push keywords and allows remote attackers to cause a DoS or perhaps have unnamed causes via a crafted file.
Source: MITRE Last Modified: 11/06/2017
US-CERT/NIST Original release date: 11/06/2017
  1. CVE-2017-16548 Detail
  • It is a receive_xattr function in xattrs.c for rsync 3.1.2 and 3.1.3-development that didn’t verify a trailing with ‘’ character in an xattr code and allows remote attackers to cause DoS attack or perhaps have unspecified other causes by sending constructed data to the daemon server.
Source: MITRE Last Modified: 11/06/2017
US-CERT/NIST Original release date: 11/06/2017

Task 10 CISCO Intrusion Prevention Configuration

The CISCO Intrusion Prevention System or the IPS are used to alert attack patterns when security breach occurs. IPS together with the router with a secured internet firewall, it can be powerful defence mechanism for the network.

Topology for CISCO Intrusion Prevention Configuration

Device Interface IP Address Subnet Mask Default Gateway
R1 Fa0/1 192.168.1.1 255.255.255.0 N/A
S0/0/0 10.1.1.1 255.255.255.252 N/A
R2 S0/0/0 10.1.1.2 255.255.255.252 N/A
S0/0/1 10.2.2.2 255.255.255.252 N/A
R3 Fa0/1 192.168.3.1 255.255.255.0 N/A
S0/0/1 10.2.2.1 255.255.255.252 N/A
PC-A NIC 192.168.1.3 255.255.255.0 192.168.1.1
PC-C NIC 192.168.3.3 255.255.255.0 192.168.3.1

Router 1 Configuration

hostname R1

!

enable secret 5 $1$mERr$oM/JyxYqfgpr/DlQ0ZM/h.

!

no ip cef

no ipv6 cef

!

no ip domain-lookup

!

spanning-tree mode pvst

!

ip ips config location flash:ipsdir retries 1

ip ips name iosips

ip ips signature-category

category all

retired true

category ios_ips basic

retired false

!

interface FastEthernet0/0

ip address 192.168.1.1 255.255.255.0

ip ips iosips out

duplex auto

speed auto

!

interface Serial0/0/0

ip address 10.1.1.1 255.255.255.0

!

router eigrp 10

network 192.168.1.0

network 10.0.0.0

auto-summary

!

logging 192.168.1.50

line con 0

exec-timeout 0 0

password conpass

logging synchronous

login

!

line aux 0

exec-timeout 0 0

password auxpass

login

!

line vty 0 4

exec-timeout 0 0

password vtypass

login

!

End

Verify settings

  1. The command show ip ips all will display an IPS configuration status summary

  1. PC-C to PC-A: The pings should fail. This is because the IPS rule for event-action of an echo request was set to “deny-packet-inline

  1. PC-A to PC-C: The ping should be successful. This is because the IPS rule does not cover echo reply. When PC-A pings PC-C, PC-C responds with an echo reply

Task 11 CISCO Context Based Access Firewall

The CISCO Context-Based Access Control or the CBAC is used to make a CISCO IOS firewall. In this task, we will create a basic CBAC configuration on the 3rd router in which it will provide access to the server outside of the network. After it is configured, verification of the firewall from internal and external hosts.

Topology for CISCO Context Based Access Firewall

Device Interface IP Address Subnet Mask Default Gateway
R1 Fa0/1 192.168.1.1 255.255.255.0 N/A
S0/0/0 10.1.1.1 255.255.255.252 N/A
R2 S0/0/0 10.1.1.2 255.255.255.252 N/A
S0/0/1 10.2.2.2 255.255.255.252 N/A
R3 Fa0/1 192.168.3.1 255.255.255.0 N/A
S0/0/1 10.2.2.1 255.255.255.252 N/A
PC-A NIC 192.168.1.3 255.255.255.0 192.168.1.1
PC-C NIC 192.168.3.3 255.255.255.0 192.168.3.1

Router 3 Configuration

hostname R3

!

no ip cef

no ipv6 cef

!

no ip domain-lookup

!

ip inspect name IR icmp audit-trail on timeout 3600

ip inspect name IR telnet audit-trail on timeout 3600

ip inspect name IR http audit-trail on timeout 3600

spanning-tree mode pvst

!

interface FastEthernet0/0

ip address 192.168.3.1 255.255.255.0

duplex auto

speed auto

!

interface Serial0/0/1

ip address 10.2.2.1 255.255.255.252

ip access-group ACL in

ip inspect IR out

!

ip classless

ip route 192.168.3.0 255.255.255.0 10.2.2.2

ip route 10.2.2.0 255.255.255.252 10.2.2.2

ip route 10.1.1.0 255.255.255.252 10.2.2.2

ip route 192.168.1.0 255.255.255.252 10.2.2.2

!

ip flow-export version 9

!

ip access-list extended ACL

deny ip any any

!

logging 192.168.1.3

line con 0

!

line aux 0

!

line vty 0 4

login

!

End

Verify Firewall Functionality

  1. Open a Telnet session from PC-C to R2 and while the session is active, run: m show ip inspect sessions

  1. PC-C to PC-A would allow a ping but will refuse a telnet session.

  1. PC-A to PC-C would block all traffic.

  1. Syslog of PC-A logs all attempts

Task 12 CISCO Zone Based firewall

The CISCO Zone-based firewall is a new configuration model of CISCO policies for multi0interface routers. It also increases the firewall protection application and has a default auto deny all policy that hinders the traffic between firewall security zones unless the user access has been granted to allow desirable traffic to a network.

Device Interface IP Address Subnet Mask Default Gateway
R1 Fa0/1 192.168.1.1 255.255.255.0 N/A
S0/0/0 10.1.1.1 255.255.255.252 N/A
R2 S0/0/0 10.1.1.2 255.255.255.252 N/A
S0/0/1 10.2.2.2 255.255.255.252 N/A
R3 Fa0/1 192.168.3.1 255.255.255.0 N/A
S0/0/1 10.2.2.1 255.255.255.252 N/A
PC-A NIC 192.168.1.3 255.255.255.0 192.168.1.1
PC-C NIC 192.168.3.3 255.255.255.0 192.168.3.1

Router 3 Configuration

hostname R3

!

enable secret 5 $1$mERr$TfFTxE.mmb5O5BVC56ndL0

!

spanning-tree mode pvst

!

class-map type inspect match-all INclassMAP

match access-group 101

!

policy-map type inspect POLICYmap

class type inspect INclassMAP

inspect

!

zone security INzone

zone security OUTzone

zone-pair security ZONEpair source INzone destination OUTzone

service-policy type inspect POLICYmap

!

interface FastEthernet0/1

ip address 192.168.3.1 255.255.255.0

zone-member security INzone

duplex auto

speed auto

!

interface Serial0/0/1

ip address 10.2.2.1 255.255.255.252

zone-member security OUTzone

!

ip classless

ip route 10.2.2.0 255.255.255.252 10.2.2.2

ip route 10.1.1.0 255.255.255.252 10.2.2.2

ip route 192.168.1.0 255.255.255.0 10.2.2.2

!

access-list 101 permit ip 192.168.3.0 0.0.0.255 any

!

line con 0

exec-timeout 0 0

password ciscoconpa55

logging synchronous

login

!

line aux 0

!

line vty 0 4

exec-timeout 0 0

password ciscovtypa55

login

!

End

Test Firewall Functionality: from INSIDE zone to OUTSIDE zone

  1. Ping from PC-C to PC-A

  1. Telnet session from PC-C to R2

  1. Issuing command on Router 3: show policy-map type inspect zone-pair sessions

Test Firewall Functionality: from OUTSIDE zone to INSIDE zone

  1. From the PC-A server command prompt, ping PC-C.

  1. From router R2, ping PC-C.

Task 13 Fortinet Unified Threat Management

Fortinet Unified threat management is a tool for security management which is used by an administrator for monitoring and managing all security-related applications and components in infrastructure in one graphic user interface console.  [7] Fortinet. (2017, October 12).

Steps on how to configure Fortinet IPS:

  1. Intrusion Protection can be configured by choosing security profiles and clicking on Intrusion Protection.

C:UsersAdministratorAppDataLocalMicrosoftWindowsINetCacheContent.Word13.1a.png

Figure 13.1 Administrator can choose which signature would the allow or deny

  1. Data leak prevention is another way to filter out security threats which has a sensor based scanner for an administrator to specify messages in an incoming information.

C:UsersAdministratorAppDataLocalMicrosoftWindowsINetCacheContent.Word13.2bryan.jpg

Figure 13.2 Data leak prevention in security profiles

  1. VPN Tunnels are used to set up VPN connection

C:UsersAdministratorAppDataLocalMicrosoftWindowsINetCacheContent.Word13.3Bryan.png

Figure 13.3 VPN tunnels configuration

C:UsersAdministratorAppDataLocalMicrosoftWindowsINetCacheContent.Word13.4Bryan.png

Figure 13.4 VPN tunnel authentication

Task 14 Cyberoam Unified Threat Management

Cyberoam Unified Threat Management caters intense security to businesses from small to large companies. It has a layer 8 identity-based platform with multiple security features. It uses extensible Security Architecture or ESA to eliminate all kinds of security threats. [8] Sophos. (2017).

Minimum System Requirements:

  • PC with virtual machine(Hyper-V)
  • 1GB vRAM
  • 2 Virtual Network Interfaces (vNIC)
  • Primary Disk with 6GB size
  • Auxiliary Disk with 100GB size
  • 1 Serial Port
  • 1 USB Port

Steps on how to configure Cyberoam UTM:

  1. Download the Cyberoam installer from the website

Figure 14.1 website of Cyberoam UTM

  1. Install Cyberoam Firewall on a virtual machine and be sure that the minimum system requirements are met.

Figure 14.2 login dialog box of Cyberoam

  1. Run the virtual machine

.

Figure 14.3 Running virtual machine(Hyper-V)

  1. On another virtual machine on the same computer (connected via VLAN), open Internet Explorer and go to http://172.16.16.16. Use admin as username and password.

Figure 14.4 login page using the designated URL

  1. After logging in, the dashboard would show up displaying the status of the firewall.

Figure 14.5 Dashboard of Cyberoam UTM

  1. Securing Cyberoam firewall enables user to configure appliance access thru a wizard that helps administrator setup basic Cyberoam firewall and enable user restrictions. It is based on checklists whether protocol will be enable or disable.

Figure 14.6 Appliance access of Cyberoam

  1. Using Identity base policy in Cyberoam is a secured way to setup an access privilege. The user has a variety of selection based on the network’s requirement.

C:UsersAdministratorAppDataLocalMicrosoftWindowsINetCacheContent.Word14.1Bryan.png

Figure 14.7 Identity based policy of Cyberoam

  1. Using Cyberoam surfing quota will ensure that all users would comply to company’s policy. It will limit all the users on how much data was consumed at a given time period. This limit must be done by administrator.

C:UsersAdministratorAppDataLocalMicrosoftWindowsINetCacheContent.Word14.7Bryan.png

Figure 14.8 Surfing quota of Cyberoam

  1. Using Cyberoam remote VPN will enable the user to remotely connect the server to private network using VPN. It is done using web console and client outline.

C:UsersAdministratorAppDataLocalMicrosoftWindowsINetCacheContent.Word14.8bryan.png

Figure 14.9 remote VPN of Cyberoam

Recommendation:

When implementing a secured and reliable network, it entails a lot of consideration. These considerations can be split into three main categories includes hardware, software and user requirements. The main consideration is the hardware requirements. Hardware cost is just the beginning since it needed to upgrade and maintain it regularly that could affect business network downtime and performance of the employees. These means that the company should make the best decision on what computers, firewalls to purchase. Storage is also the problem since the company is growing the data stored in the server will also increase. Lastly, the availability of the computer, since all computers are shipped from one manufacturer to the client, it will take time. Another consideration in implementation is the software requirements. First is the software legitimacy. All computers should run genuine software to prevent bugs and errors. Also, the software of all computers including the operating system must be regularly updated. Lastly, the user requirements are required for implementation. As an IT, it is our job to create a secured network environment and lessen the complex work for the end users.

For all of these requirements, the company would always hire an IT specialist for a secured and reliable network infrastructure. In the world we live today, the security breaches are more often than ever before. Implementing a server setup requires maximum consideration and investment on the company but it starts with an IT staff. For the growing IT businesses, all our data and information including networks will be cloud based program. As we enter to the future of IT infrastructure, cloud computing will be the best for integrated networks.

REFERENCES with APA format:

[1] Rouse. (2016). What is Active Directory? – Definition from WhatIs.com. Retrieved November 10, 2017, from http://searchwindowsserver.techtarget.com/definition/Active-Directory

[2] Microsoft. (2017). What’s new in Exchange 2016. Retrieved November 10, 2017, from https://technet.microsoft.com/en-us/library/jj150540(v=exchg.160).aspx

[3] Barracuda. (n.d.). Barracuda Spam Firewall. Retrieved November 10, 2017, from https://www.barracuda.com/landing/pages/spamfirewall/

[4] Rouse. (2012). What is Microsoft Outlook? – Definition from WhatIs.com. Retrieved November 10, 2017, from http://searchexchange.techtarget.com/definition/Microsoft-Outlook

[5] GFI. (n.d.). Network Security, Network Monitor and Network scanner with Vulnerability Scanning, Patch Management and Application Security | GFI LanGuard performs vulnerability assessments to discover threats early. Retrieved November 10, 2017, from https://www.gfi.com/products-and-solutions/network-security-solutions/gfi-languard

[6] NVD. (2017, October). Vulnerabilities. Retrieved November 10, 2017, from https://nvd.nist.gov/vuln/full-listing/2017/11

[7] Fortinet. (2017, October 12). Retrieved November 10, 2017, from https://en.wikipedia.org/wiki/Fortinet

[8] Sophos. (2017). Retrieved November 10, 2017, from https://www.cyberoam.com/microsite/unified-threat-management

Cite This Work

To export a reference to this article please select a referencing stye below:

Reference Copied to Clipboard.
Reference Copied to Clipboard.
Reference Copied to Clipboard.
Reference Copied to Clipboard.
Reference Copied to Clipboard.
Reference Copied to Clipboard.
Reference Copied to Clipboard.

Related Services

View all

DMCA / Removal Request

If you are the original writer of this assignment and no longer wish to have your work published on the UKDiss.com website then please: