Scribd
Upload
75 views28 pages

NETLAB+ Security+ v4 - Lab 15 - Implementing Common Protocols and Services For Basic Security Practices

Uploaded by

brickbunsen
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
75 views28 pages

NETLAB+ Security+ v4 - Lab 15 - Implementing Common Protocols and Services For Basic Security Practices

Uploaded by

brickbunsen
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 28

SECURITY+ V4 LAB SERIES

Lab 15: Implementing Common Protocols and


Services for Basic Security Practices

Document Version: 2023-02-27

Material in this Lab Aligns to the Following

CompTIA Security+ (SY0-601) 3.1: Given a scenario, implement secure protocols


Exam Objectives 3.3: Given a scenario, implement secure network designs

All-In-One CompTIA Security+ Sixth Edition 17: Secure Protocols


ISBN-13: 978-1260464009 19: Secure Network Design
Chapters

Copyright © 2023 Network Development Group, Inc.


www.netdevgroup.com

NETLAB+ is a registered trademark of Network Development Group, Inc.


KALI LINUX ™ is a trademark of Offensive Security.
Microsoft®, Windows®, and Windows Server® are trademarks of the Microsoft group of companies.
VMware is a registered trademark of VMware, Inc.
SECURITY ONION is a trademark of Security Onion Solutions LLC.
Android is a trademark of Google LLC.
pfSense® is a registered mark owned by Electric Sheep Fencing LLC (“ESF”).
All trademarks are property of their respective owners.
Lab 15: Implementing Common Protocols and Services for Basic Security Practices

Contents
Introduction ................................................................................................................................................ 3
Objective ..................................................................................................................................................... 3
Lab Topology ............................................................................................................................................... 4
Lab Settings ................................................................................................................................................. 5
1 Protecting Sensitive Data .................................................................................................................... 6
1.1 Load Lab Configuration ................................................................................................................ 6
1.2 Configuring SquidGuard ............................................................................................................. 11
1.3 Configure & Test Firefox Proxy Settings..................................................................................... 14
2 Configuring and Enabling SSL for HTTP Services............................................................................... 17
2.1 Generating a Server Key and Server Certificate......................................................................... 17
2.2 Configure Apache to Utilize SSL ................................................................................................. 21
2.3 Configuring & Testing HTTPS Test Page ..................................................................................... 24

2/27/2023 Copyright © 2023 Network Development Group, Inc. www.netdevgroup.com Page 2


Lab 15: Implementing Common Protocols and Services for Basic Security Practices

Introduction

In this lab, you will be conducting network security practices by implementing common protocols.

Objective

In this lab, you will perform the following tasks:

 Configuring a Proxy server


 Configuring and Enabling SSL for HTTP Services

2/27/2023 Copyright © 2023 Network Development Group, Inc. www.netdevgroup.com Page 3


Lab 15: Implementing Common Protocols and Services for Basic Security Practices

Lab Topology

2/27/2023 Copyright © 2023 Network Development Group, Inc. www.netdevgroup.com Page 4


Lab 15: Implementing Common Protocols and Services for Basic Security Practices

Lab Settings

The information in the table below will be needed in order to complete the lab. The task sections
below provide details on the use of this information.

Virtual Machine IP Address Account Password


(if needed) (if needed)

pfSense 192.168.0.1 sysadmin NDGlabpass123!

UbuntuSRV 172.16.1.10 sysadmin NDGlabpass123!

2/27/2023 Copyright © 2023 Network Development Group, Inc. www.netdevgroup.com Page 5


Lab 15: Implementing Common Protocols and Services for Basic Security Practices

1 Protecting Sensitive Data

1.1 Load Lab Configuration

1. Click on the UbuntuSRV tab to access the UbuntuSRV VM.

2. Log in as username sysadmin, password NDGlabpass123!.

3. Open a web browser by clicking on the Firefox icon located in the left menu pane.

4. Within the Firefox web browser, type 172.16.1.1 into the address bar, followed by pressing
Enter.

2/27/2023 Copyright © 2023 Network Development Group, Inc. www.netdevgroup.com Page 6


Lab 15: Implementing Common Protocols and Services for Basic Security Practices

5. Once presented with the pfSense login page, type sysadmin as the username and
NDGlabpass123! as the password. Click Login.

6. Once logged in, focus on the top menu pane and navigate to System > Package Manager.

7. Make sure to view the Installed Packages tab. Verify that both the squid and squidguard packages
are installed.

2/27/2023 Copyright © 2023 Network Development Group, Inc. www.netdevgroup.com Page 7


Lab 15: Implementing Common Protocols and Services for Basic Security Practices

8. Once verified, navigate to Services > Squid Proxy Server.

9. First, click on the Local Cache, then scroll down to find and set the Hard Disk Cache Size to 50.

10. Scroll to the bottom of the page and click Save. The page will refresh and bring you back to the top
after it is saved.
11. Then, click on the General tab and check the checkbox to Enable the Squid Proxy.

12. Select LAN and DMZ for the Proxy interface. To do so, hold the CTRL key and select each entry until
both are highlighted.

2/27/2023 Copyright © 2023 Network Development Group, Inc. www.netdevgroup.com Page 8


Lab 15: Implementing Common Protocols and Services for Basic Security Practices

13. Use port number 3128 as the Proxy port.

14. Uncheck the checkbox next to Allow users on interface.

15. Check the checkbox next to Transparent proxy to enable this feature.

16. Scroll down until you see the Enabled Access Logging entry. Check the checkbox to enable.

17. Verify that the Log store directory is configured to /var/squid/logs.

18. Type the number 7 as the value for the Rotate Logs field.

19. For Visible Hostname, type proxy.pfsense.

20. For the Administrator Email, type [email protected].

2/27/2023 Copyright © 2023 Network Development Group, Inc. www.netdevgroup.com Page 9


Lab 15: Implementing Common Protocols and Services for Basic Security Practices

21. Scroll to the bottom of the page and click Save.

22. Next, click on the ACLs tab. Enter the subnets mentioned below into the Allowed subnets field.
a. 192.168.0.0/24
b. 172.16.1.0/28

23. Scroll towards the bottom of the page until you see ACLl Safeports. Type 80 and 443 into the text
field with a space inbetween.

24. Type 443 for ACL SSLlports.

25. Click the Save button.


26. Click on the Traffic Mgmt tab. For Maximum Download Size, enter the value 500000 to represent
500MB as the maximum download file size.

27. For Maximum Upload Size, enter the value 50000 to represent 50MB as the maximum upload file
size.

28. Scroll towards the bottom and click the Save button.
2/27/2023 Copyright © 2023 Network Development Group, Inc. www.netdevgroup.com Page 10
Lab 15: Implementing Common Protocols and Services for Basic Security Practices

1.2 Configuring SquidGuard

1. While on the pfSense web configurator, navigate to Services > SquidGuard Proxy filter.

2. On the General settings tab, check the checkbox next to Enable.

3. Scroll down until you see Enable GUI log. Check the checkbox to enable this feature.

4. Check the box next to Enable log.

2/27/2023 Copyright © 2023 Network Development Group, Inc. www.netdevgroup.com Page 11


Lab 15: Implementing Common Protocols and Services for Basic Security Practices

5. Scroll to the bottom of the page and click the Save button.
6. Once the page reloads, click the Apply button located towards the top of the page.

7. Next, click on the Target categories tab. Click the Add a new item icon.

8. For the Name, type Blist1.

9. For Order, select the dropdown box and choose --- Last ---.

10. Type casino.com into the whitespace area for Domain List.

11. Type casino into the whitespace area next to Regular Expression.

2/27/2023 Copyright © 2023 Network Development Group, Inc. www.netdevgroup.com Page 12


Lab 15: Implementing Common Protocols and Services for Basic Security Practices

12. Select the dropdown box next to Redirect mode and choose int error page (enter error message)

13. Check the box next to the Log entry to enable logging for the ACL.

14. Click the Save button.


15. Click on the Common ACL tab. Click the Show rules icon within the Target Rules List pane.

16. Notice Blist1 is added to the list. For this entry, select the access dropdown box and choose deny.
Click the dropdown box entry for Default access [all] and select allow.

17. Within the whitespace area for the Proxy Denied Error, type Request denied by the XYZ
Security proxy.

18. Select the dropdown box next to Redirect mode and choose int error page (enter error message)

19. Check the box next to Log.

2/27/2023 Copyright © 2023 Network Development Group, Inc. www.netdevgroup.com Page 13


Lab 15: Implementing Common Protocols and Services for Basic Security Practices

20. Click the Save button.


21. Once the page refreshes, click the General settings tab.
22. Scroll to the bottom and click the Save button.
23. To apply all configurations, click the Apply button.
24. Verify that the SquidGuard service state is STARTED.

1.3 Configure & Test Firefox Proxy Settings

1. While on the Firefox web browser, click the Application Menu icon located in the top-right corner,
followed by clicking on the Settings icon.

2/27/2023 Copyright © 2023 Network Development Group, Inc. www.netdevgroup.com Page 14


Lab 15: Implementing Common Protocols and Services for Basic Security Practices

2. Scroll down to the bottom in the Settings tab and click on the Settings… button.

3. A pop-up window appears. Select the radio button for Manual proxy configuration. Type
192.168.0.1 as the HTTP Proxy and 3128 as the Port. Check the checkbox for Also Use this proxy
for all FTP and HTTPS

4. Back on the Firefox Preferences window, close the Settings tab.

2/27/2023 Copyright © 2023 Network Development Group, Inc. www.netdevgroup.com Page 15


Lab 15: Implementing Common Protocols and Services for Basic Security Practices

5. Open a new tab in Firefox by clicking the “+” icon located at the top. Type casino.com into the
address field followed by pressing Enter. Notice the traffic will be dropped due to the rule we
added.

6. Close the web browser


7. Leave the UbuntuSRV window open to continue with the next task.

2/27/2023 Copyright © 2023 Network Development Group, Inc. www.netdevgroup.com Page 16


Lab 15: Implementing Common Protocols and Services for Basic Security Practices

2 Configuring and Enabling SSL for HTTP Services

2.1 Generating a Server Key and Server Certificate

1. While on the Ubuntu system, open a new terminal window by clicking on the terminal icon located
on the left menu pane

2. Create a new directory by typing the command followed by pressing the Enter key.

sysadmin@ubuntusrv:~$ mkdir sslcerts

3. Change to the newly made directory.

4. Verify that OpenSSL is installed on the system.

5. Type the following command to generate an RSA server key. When prompted for a passphrase,
type NDGlabpass123! followed by pressing the Enter key. When prompted once more, type
NDGlabpass123! again. Press Enter.

sysadmin@ubuntusrv:~$ openssl genrsa -des3 -out server.key 2048

6. Verify that the server.key has been generated.

2/27/2023 Copyright © 2023 Network Development Group, Inc. www.netdevgroup.com Page 17


Lab 15: Implementing Common Protocols and Services for Basic Security Practices

7. Generate the Certificate Signing Request (CSR) with the new server.key.

sysadmin@ubuntusrv:~$ openssl req -new -key server.key -out server.csr

a. When prompted for the server.key pass phrase, type NDGlabpass123!. Press Enter.
b. During the signing request process, a series of questions will be asked. Type the information
given below for each step, followed by pressing Enter.
i. Country Name: US
ii. State Name: TX
iii. Locality Name: Austin
iv. Organization Name: XYZ Security
v. Organizational Unit Name: Press Enter
vi. Common Name: ubuntusrv.netlab.local
vii. Email: Press Enter
viii. Challenge Password: Press Enter
ix. Company Name: Press Enter

8. Once completed with the wizard, verify that server.csr has been created.

2/27/2023 Copyright © 2023 Network Development Group, Inc. www.netdevgroup.com Page 18


Lab 15: Implementing Common Protocols and Services for Basic Security Practices

9. Sign the server.csr to create a server.crt file. When prompted for the passphrase, type
NDGlabpass123! followed by pressing Enter.

sysadmin@ubuntusrv:~$ openssl x509 -req -days 365 -in server.csr -signkey


server.key -out server.crt

10. Verify that the new server.crt has been created.

2/27/2023 Copyright © 2023 Network Development Group, Inc. www.netdevgroup.com Page 19


Lab 15: Implementing Common Protocols and Services for Basic Security Practices

11. View the contents of the newly created server.crt certificate.

sysadmin@ubuntusrv:~$ openssl x509 -in server.crt -noout -text

2/27/2023 Copyright © 2023 Network Development Group, Inc. www.netdevgroup.com Page 20


Lab 15: Implementing Common Protocols and Services for Basic Security Practices

2.2 Configure Apache to Utilize SSL

1. Create a new directory that will act as a placeholder for the SSL objects. If prompted for a
password, enter NDGlabpass123!.

sysadmin@ubuntusrv:~$ sudo mkdir /etc/apache2/ssl_certs

2. While in the /sslcerts directory, generate the same server.key but with no passphrase requirement.
When prompted for a password for the server.key file, enter NDGlabpass123!.

sysadmin@ubuntusrv:~$ openssl rsa -in server.key -out server.key.nopass

3. List the current files in the directory. You should now have four different files.

4. Copy the server.key.nopass to the /etc/apache2/ssl_certs directory. If prompted for a password,


enter NDGlabpass123!.

sysadmin@ubuntusrv:~$ sudo cp server.key.nopass /etc/apache2/ssl_certs

5. Copy the server.crt file to the /etc/apache2/ssl_certs directory. If prompted for a password, enter
NDGlabpass123!.

sysadmin@ubuntusrv:~$ sudo cp server.crt /etc/apache2/ssl_certs

6. Change to the /etc/apache2/ssl_certs directory.

2/27/2023 Copyright © 2023 Network Development Group, Inc. www.netdevgroup.com Page 21


Lab 15: Implementing Common Protocols and Services for Basic Security Practices

7. Verify that two files are present in the directory.

8. Rename the server.key.nopass file to server.key. If prompted for a password, enter


NDGlabpass123!.

sysadmin@ubuntusrv:~$ sudo mv server.key.nopass server.key

9. We already have an nginx server running, but since it is used for regular service, we will use the
Apache web service for this lab instead. First, type sudo service nginx stop to disable the
nginx server. If prompted for a password, type NDGlabpass123!.

10. Then type sudo service apache2 start to start the Apache service.

11. Initiate the a2enmod module for SSL. Then, restart the apache2 service. If prompted for a
password, type NDGlabpass123!.

sysadmin@ubuntusrv:~$ sudo a2enmod ssl


sysadmin@ubuntusrv:~$ sudo service apache2 restart

12. Create a new symbolic link to the default-ssl.conf file. If prompted for a password, type
NDGlabpass123!.

sysadmin@ubuntusrv:~$ sudo ln –s /etc/apache2/sites-available/default-ssl.conf


/etc/apache2/sites-enabled/000-default-ssl.conf

2/27/2023 Copyright © 2023 Network Development Group, Inc. www.netdevgroup.com Page 22


Lab 15: Implementing Common Protocols and Services for Basic Security Practices

13. Verify that a Virtual Host is configured in the default sites-available file. Type the command below
to open the file with the nano text editor. If prompted for a password, type NDGlabpass123! .

sysadmin@ubuntusrv:~$ sudo nano /etc/apache2/sites-available/000-default.conf

14. When in the nano editor, confirm that the ServerName is set to 172.16.1.10:80. Then check other
settings, if you see any missing entries, enter the same as shown in the screenshot below. Once
finished, press CTRL+S to save, and CTRL+X to exit

15. Next, edit the contents of the default-ssl file. Type the command below followed by pressing Enter.
If prompted for a password, type NDGlabpass123!.

sysadmin@ubuntusrv:~$ sudo nano /etc/apache2/sites-available/default-ssl.conf

2/27/2023 Copyright © 2023 Network Development Group, Inc. www.netdevgroup.com Page 23


Lab 15: Implementing Common Protocols and Services for Basic Security Practices

16. Add the missing information as you did before. Use the arrow keys to position the cursor.

17. Press CTRL + S to save, and CTRL+X to exit.


18. Create a new directory.

sysadmin@ubuntusrv:~$ sudo mkdir /var/www_ssl

19. Leave the Terminal open for the next section.

2.3 Configuring & Testing HTTPS Test Page

1. While on the Terminal, navigate to the /var/www_ssl directory.

2. Create a new index.html file. If prompted for a password, enter NDGlabpass123!

2/27/2023 Copyright © 2023 Network Development Group, Inc. www.netdevgroup.com Page 24


Lab 15: Implementing Common Protocols and Services for Basic Security Practices

3. Within the nano text editor, type the HTML code below.

<html>
<body>
<h1>Testing HTTPS Service</h1>
</body>
</html>

4. Press CTRL + S to save, and CTRL+X to exit.


5. Restart the Apache web service to apply all the configuration changes made. If prompted for a
password, enter NDGlabpass123!.

6. Open a new Firefox web browser by clicking the Firefox icon located on the left menu pane.

7. Within the address bar, type https://172.16.1.10. Press Enter.

8. When presented with the Warning page, click on Advanced….

2/27/2023 Copyright © 2023 Network Development Group, Inc. www.netdevgroup.com Page 25


Lab 15: Implementing Common Protocols and Services for Basic Security Practices

9. When expanded, click on the Accept the Risk and Continue button.

10. Notice the web page with Testing HTTPS Service opens. To view the contents of the server
certificate, click the lock icon located to the left of the URL.

11. A small window will appear. Click on Connection not secure, then click More Information.

2/27/2023 Copyright © 2023 Network Development Group, Inc. www.netdevgroup.com Page 26


Lab 15: Implementing Common Protocols and Services for Basic Security Practices

12. On the Page info screen, notice the Website Identity information. Click the View Certificate button.

2/27/2023 Copyright © 2023 Network Development Group, Inc. www.netdevgroup.com Page 27


Lab 15: Implementing Common Protocols and Services for Basic Security Practices

13. On the Certificate Viewer window, notice the entries for Issuer Name and the period of Validity. All
values are reflective of the contingencies set when the self-sign of the certificate took place at the
beginning of Task 2.1.

14. The lab is now complete; you may end the reservation.

2/27/2023 Copyright © 2023 Network Development Group, Inc. www.netdevgroup.com Page 28

You might also like