Free Essay

Week2Ilab Sec450

In:

Submitted By checkerspro
Words 1459
Pages 6
SEC450 Security Demands Opnet iLab

Objectives
In this lab, the students will examine the following objectives.

* The use of flow analysis to create required security demands * Creation of ACLs to meet the requirements of the security demands * Verification of security demands using web reports

Scenario
A small company is using the topology shown below. Minimal security measures have been implemented. Assume that the 200.100.0.0/16 network represents the Internet. The Dallas and Chicago Hosts need to be protected from specific types of traffic from the Internet.

Topology

The last page of the lab assignment document contains a full page topology. Remove this page and use it for reference to the topology and the IP addresses.

Initial OpNet Preparation

The Week 2 iLab is entitled Security Demands. The following steps show how to create the project required for the Week 2 iLab.

* Log into the Citrix iLab Environment (lab.devry.edu).

* Click on the OpNet 17 icon.

* Click the Accept button to open OpNet 17.

* Click File/Open and navigate to the F:\op_models\SEC450\SEC450.project\SEC450 file and click Open.

* In OpNet 17 with the SEC450 project open, click File/Save As.

* Save the project in the F:\op_models\SEC450 directory as SecurityDemands.

You are now ready to begin the Security Demands iLab with a project called SecurityDemands.

Initial Configuration
The Dallas and Chicago Routers’ FastEthernet and Serial interfaces used for the lab have been correctly configured and enabled. Unused interfaces have been shutdown. The RIP routing tables are complete for all routers and hosts. No ACLs have been applied to any of the routers.

Lab Data Collection and Submission
Download and open the lab document file: SEC450_SecurityDemands_Report.docx. Enter your name and date at the top of the lab document. As you complete each task of the lab assignment, copy all relevant configuration information, web reports, tables, answered questions, and/or captured screenshots (as specified in the iLab assignment) into this lab document. You will submit the completed SEC450_SecurityDemands_Report.docx file into the this week’s eCollege iLab Dropbox.

Note: RED text indicates the required capture of commands or windows from the OpNet program into your lab document. All completed tables and answered questions in the lab assignment must be transferred to your submitted lab document.

Task 1—Verify Initial Connectivity Between Router and Hosts

* Right-click on the Dallas Router and select OpenVirtualCLI. Enter privileged exec mode and (using the limited IOS commands available), verify the settings on the interfaces. Also display the routing table.

* Enter the IOS command that will verify that there are no ACLs defined on the Dallas Router.

* Verify connectivity between the Dallas Router and the ISP and Chicago Host and server PCs by pinging their IP addresses from the Virtual CLI.

* Select the Task 1 commands in the Virtual CLI using the mouse and click on the Copy button. Use <Ctrl>V) to paste the commands into your lab document.

* Open the Flow Analysis menu and select Run Flow Analysis.

* Close the Flow Analysis Log that appears.

* Select Identify Unreachable Interfaces from the Flow Analysis menu. Select For all nodes in the Choose Nodes dialog and click Compute. Capture the Compute dialog window that says "All demands are routable" in to your lab document.

Task 2—Security Demands Configuration We will use the Object Palette to create a set of security demands for the network that protects the Dallas and Chicago Servers from all traffic other than FTP and HTTP.

* Open the Object Palette by clicking on the icon.
Expand the Demand Models/By Type/IPSecurity folder and select the ip_security demand model. * Click on the ip_security icon and then move the mouse cursor to the network topology window. * Click on the Chicago Host icon, and then click on the Dallas Server icon. You should see a green arrow with the arrowhead on the Dallas Server as shown below. Right-click on a blank area of the network and select Abort Demand Definition.

* Left-click on the green line and select Edit Similar Demands.

*
Click on the icon in the first column of the demand attribute and click Duplicate. Do this once more so that you will have three demand attribute rows in the table.

* Expand the name column. Delete any numbers at the end of the name fields and add the suffix FTP to the name field in the first row, HTTP to the name field in row two, and TELNET to the name field in row three.

* In the Destination Port field, change rows one and two to ftp and http respectively, and set row three as telnet.

* Set the Protocol field for all three rows to TCP. In the Security Type field, set rows one and two to Permit and row three to Deny. * Your Demand Properties table should have the setting shown below. Note that I have collapsed some of the fields to make the important fields visible in the same window. Click the OK button. Click the Save icon on the tool bar or use the File menu to save the project changes.

*
Run a Flow Analysis to update the topology with the new security demands.

* To see whether the security demands are implemented in the network configuration, we will use NetDoctor. Click on the Flow Analysis menu and select Security / Demands / Generate Web Report.

* Click Continue in the Publishing Options dialog.

* Check Global Tables and Object Tables in the Select Tables dialog and click Generate. In the next dialog, click OK unless you want to change the location of the web report.

* In the web report window, expand Global Tables -> Network Security and click Conformance. Note that the FTP and HTTP traffic is reaching the Dallas Server in conformance with the security demand rules that we created. Click Summary and note that there is one security violation identified.

* Click Violations to see what security violation has occurred. As expected, the DENY rule has been violated because no ACL has been applied to the network. Use <Alt><PrtSc> to capture the Violations web report. Use <Ctrl>V to paste the window into your lab document.

* Click on the Destination Reachable link for more information. The Security Demand Routing page shows the path taken for the traffic that should have been denied. Use <Alt><PrtSc> to capture the Security Demand Routing web report and paste it into your lab document with <Ctrl>V.

Close the NetDoctor Security Demands web report.

Task 3—Apply the ACL and Verify Security Demands Compliance

* Answer the question below.

If you are applying an extended ACL to deny specific packets, where should you apply it, as close to the source as possible or as close to the destination as possible? Explain your answer.

As close to the source as possible is how you apply an extended ACL. With the extended ACL’s you specify source and the destination address, unlike standard ACL’s.

* Open the Chicago Router's Virtual CLI. Enter global configuration mode by typing configure terminal. Configure an extended IP ACL # 100 that will meet the rules of our established security policy.

access-list 100 permit tcp host 192.168.200.10 host 192.168.100.11 eq 21 access-list 100 permit tcp host 192.168.200.10 host 192.168.100.11 eq 80 access-list 100 deny tcp host 192.168.200.10 host 192.168.100.11 access-list 100 permit ip any any

* Apply the access-list to the Chicago Router’s F0/0 interface for all inbound traffic. Select the ACL commands in the Virtual CLI using the mouse. Click on the Copy button. Use <Ctrl>V to paste the commands into your lab document. * Close the Virtual CLI and run a Flow Analysis to update your topology. Save your project changes. Open the menu Flow Analysis / Security / Demands / Generate Web Report. Select Global Tables and Object Tables for your web report.

*
Notice that the Global Tables -> Network Security menu options have changed. There is no longer an option for Violations and there is a new option called Configurations. Click on Configurations. Use <Alt><PrtSc> to capture the Configurations web report and <Ctrl>V to paste it into your lab document.

* Click on the Conformance option to validate the conformance of the network to our security demand rules. Note the TELNET traffic status is listed as Unroutable. This is because it was filtered by the ACL on the Chicago Router. Use <Alt><PrtSc> to capture the Conformance web report and <Ctrl>V paste it into your lab document.

* Save your project and exit from OpNet IT Guru.

Similar Documents