Skip to content

TechGiovanni/Network-Security-Lab

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

80 Commits
 
 
 
 

Repository files navigation

Welcome to the Network Security Lab

Objective

This Real-World Network Architecture and CyberSecurity Lab aims to establish a controlled environment simulating and detecting cyber attacks, setup up and secure Routers, Switches using security best practices, User provisioning and deprovisioning, as well as other system administration responsibilities. The primary focus was to ingest and analyze logs within a Security Information and Event Management (SIEM) system, generating test telemetry to mimic real world attack scenarios, perform system and network documentation.

This hands-on experience was designed to deepen understanding of network security, Network architecture, attack patterns, and defensive strategies.

Skills Learned

  • Advanced understanding of SIEM concepts and practical application.
  • Proficient in analyzing and interpreting network logs.
  • Enhanced knowledge of network protocols and security vulnerabilities
  • Development of critical thinking and problem-solving skills in cybersecurity and networks.
  • Proficient with cisco IOS to configure Routers and Switches

Tools Used

  • (Snort, Suricata, PfBlockNG) Security Information and Event Management (SIEM) system log ingestion, Analysis and Blocking Malicious IPs.
  • Network analysis tools (Wireshark, Advanced IP Scanner) for capturing and examining network traffic.
  • Network Documentation (Packet Tracer, GitHub)
  • Firewall tool (Pfsense) for protecting the network.
  • Cisco Router (csr1000v) for routing packets
  • Windows 11 Ent Client for client machines
  • Windows 2016 Core Server for DHCP, DNS and WINS IP configurations to client machines as well as Windows Server as a Router
  • Windows 2016 GUI Server for managing the network (Router, Firewalls, and computers)

Features

  • VPN that is setup to be Point-to-Point.
  • Active Directory Domain Service (Forest and Child Domain), Redundant Domain Controllers for Authentication, Authorization and Availability.
  • Pfsense Firewall and created Firewall Rules, blocking unnecessary ports.
  • Routing rules Blocking specific Ip Addresses.
  • Hyper-V Virtualization using Virtual Network Adapters to connect all Virtual Machines in this lab.

Steps

Ref 1: Network Diagram

Ref 2: Hyper-V Manager - Hosting all of the Virtual Machines used in this Project

The Final Network Architecture including (Security Operations Center, Attack Network, System Administration, Virtual Private Networks, Office & Corporate Envrironments, and the Intermediary Devices Cisco Router Csr1000v and Windows Routing)

Configuring the VPN Server IP Address on LAN 4

Ref 3: Windows VPN Server on LAN 4 to setup the PFsense-FW3

We ned an IP Address to communicate to other end-point devices. IN this case its the firewall. The default gateway is the Pfsense Firewall. The is directlt connected to the PFsense, so it is faster to configure it using this server than configuring the WDS01 and routers just to get to the Firewall to get internet.

Setup Pfsense-FW1 to get Internet Access on the Internal LAN

Ref 4: Pfsense Firewall IP address setup

This allows up to get access to the Pfsense web interface to further do firewall configurations, rules and download packages.

Our VPN server is directly connected to LAN 4, as well as the LAN interface side of the Pfsense-FW3. The WAN interface side of the Pfsense-FW3 is automatically getting a IP Address from the Internet Service Provider and using NAT to translate internal IP addresses into a single address for connecting out onto the internet.

Pfsense-FW1 Initial Configurations Web Interface

Ref 5: Pfsense Web Interface on HTTP

Ref 6: Pfsense Web Interface for firewall configurations - Setting DNS, and Domain

Ref 7: Setting the Timezone for my current location

Ref 8: Updating Pfsense to its latest version to mitigate vulnerability in the software

Ref 9: Change the default PFsense web interface to use HTTPS instead of HTTP

Pfsense-FW1 Setting up TCP & UDP Aliases and Firewall Rules to be able to access the internet on the LAN interface

Ref 10: Creating a TCP group of Ports called an Alias to use for convenience instead of having single Port rules.

Ref 11: Creating a UDP group Alias.

Ref 12: Using the TCP Aliase in a firewall Rule to Allow Traffic on these ports

Ref 13: Using the UDP Aliase in a firewall Rule to Allow Traffic on these ports

Ref 14: Creating a Rule to Allow ICMP Traffic (Echo Request, Echo Reply, Destination Unreachable, Time Exceeded and Parameter Problem on the LAN Interface ) For pinging

Ref 15: Reject ANY traffic that is not on the Allow Rules

Install PFBlockerNG

Ref 16: Install PFBlockerNG Package

Ref 17: The DNS Url and IP Address Block list created by PFBlockerNG

PFBlocker assigns many Ip Address Url lists such as IBlock Lists into a single Alias and choosing a Rule action to block Counrties, DNS and IP Block list Ranges.

It aggregates several IP and DNS block lists into a single Alias that can be checked.

This Stops traffic before the DNS Name resolution is even complete. Reducing the processing.

Install Snort - An Intrusion detection system (IDS) and Intrusion Prevention System (IPS)

Ref 18: Installed Snort

Ref 19: Snort Running on Both Interfaces WAN & LAN

Ref 20: LAN Configuration of Snort

Ref 21: WAN Configuration in snort

Ref 22: Snort Global Configurations 1

Ref 23: Snort Global Configurations 2

Ref 24: Snort Global Configurations 3

Ref 25: Create a Passlist on snort to allow your internal network to flow threw and not get blocked

Ref 26: Snort Pass List

Ref 27: If you realize you don't have internet or you can't ping the firewall, you were maybe blocked.

Remove yourself from the block list by just clicking the "x" on the right side. Now you should be able to ping and have internel access.

Ref 28: Include the Pass list on the snort LAN interface

Snort does signature based and Protocol Based Detection

Snort shows alerts and Blocks suspected IP Addresses

Setup LANR1-4-6 (Windows Core Server as a LAN Router)

sconfig

Change the Computer Name

Update the timezone if necessary

Ref 29: Allow Remote Management and update the IP Adrdesses of Each INterface

  • winrm Quickconfig
  • set-netfirewallrule -Profile Public,Private,Domain -DisplayGroup "Windows Remote Management" -Enabled True

Ref 30: Rename Net Adapter Name

  • rename-Netadapter -name "Ethernet 2" -newname "LAN1"
  • rename-Netadapter -name "Ethernet" -newname "LAN4"
  • rename-Netadapter -name "Ethernet 3" -newname "LAN6"

And then Set the IP Addresses for Each LAN Interface:

  • new-netipaddress -InterfaceAlias LAN1 -Ipaddress 192.168.1.254 -PrefixLength 24
  • new-netipaddress -InterfaceAlias LAN4 -Ipaddress 192.168.4.253 -PrefixLength 24 -DefaultGateway 192.168.4.254
  • new-netipaddress -InterfaceAlias LAN6 -Ipaddress 192.168.6.254 -PrefixLength 24

Ref 31: Setting up default routes for unknown destinations for LAN 1 and LAN 6

  • netsh interface ipv4 show interfaces
  • Shows the Name and index

  • netsh interface ipv4 add route 0.0.0.0/0 "LAN1" 192.168.4.254
  • Set default route

  • netsh interface ipv4 add route 0.0.0.0/0 "LAN6" 192.168.4.254
  • Set default route

  • route print
  • Verify that the default route has been set correctly

Disable IP Version 6 on the Interfaces

  • disable-NetAdapterBinding -Name LAN1 -ComponentID ms_tcpip6
  • disable-NetAdapterBinding -Name LAN4 -ComponentID ms_tcpip6
  • disable-NetAdapterBinding -Name LAN6 -ComponentID ms_tcpip6
  • route print
  • Verify that the default route has been set correctly


Install The Remote Access (Routing) Roles and Feature on the LANR1-4-6

Ref 32: Add roles and Features to setup this Core server as a router

Ref 33: Choose The Role for "Routing"

Add the Administration Roles and Features to WDS01 Mangement Server

Ref 34: Add Remote management tools to the WDS01 Management and Deployment Server

Access and Finish Setting up The Remote Access (Routing) Roles and Feature on the LANR1-4-6

Ref 35: Setup routing on the LANR1-4-6 Server. Choose "Custom Configuration" and then "LAN Routing"

Ref 36: Setup Static Routes, So packets can get through the router and onto the other side

Cisco Router CSR1000v

Setup Cisco Router - IP Addresses, Passwords, usernames, SSH, ACLs

Ref 37: Setup the IP Addresses for (GigabitEthernet1) LAN1 and (GigabitEthernet2) LAN 5 Interfaces on the Router

Ref 38: Setup Passwords for enable mode

Also encrypt the plain text passwords on running-config using "service password-encryption"

Ref 39: Setup Line VTY (Virtual Teletype)

Ref 40: Created usernames and passwords

for those users using the password policy for string passwords and over 20 characters and only allow username and password to login

Ref 41: Setup SSH on the Router

SSH allows for encryted traffic in both directions for confidentiality

Ref 42: Setup Static Routes

Allows for communication with the other Networks in our infrastructure.

Ref 43: Cisco Routing table with A Static Route for unknown destinations "Last Resort"

Ref 44: Setup ACLs

This was setup for the furture in case of malicious IP on the network that needs to be blocked. To mitigate risk.

Setup Pfsense-FW2

Ref 45: Pfsense copyright Acceptance to accept

Ref 46: Installation of Pfsense

Ref 47: Choose Manual Disk Setup (experts)

This method is the only one that works so far while using Pfsense.

Ref 48: Auto Disk setup

This created three partitions (da0p1 da0p2, da0p3)

Ref 49: Commit these changes

Ref 50: Extracting the files and installing them on the disk.

Ref 51: Installation of Pfsense is Complete

After the installation is complete we will go to the shell.

Ref 52: Halt Pfsense

We need some tiem to remove the ISO before Pfsense Reboots, Otherwise we will get the screen to Install Pfsense again.

Eject the Pfsense ISO disk at this time.

After ISO is ejected. CLick any key to continue with the reboot.

Ref 53: Pfsense Initial Screen after reboot

Only the default LAN ip address is setup. We will change this to our internal IP Addresses.

Ref 54: WAN interface IP Address setup

This is pointing to the internet

Ref 55: Setup the LAN and WAN Ip Addresses

Now we will have access to the Pfsense web interface from within the LAN network that is directly connected

Create a Windows Desktop Virtual Machine to finish configuring the PFsense-FW2

Ref 56:

The configuration process will be the same as Pfsense-FW2 expect for the IPS/IDS system

Then we will setup Active Directory, DHCP,DNS and WINS Server. then add a redundant DC02 controller for Availability purposes.

PFsense-FW2 WAN interface Rule Update

Ref 57: Updating the Firewall TCP Alias to include Active directory ports on the LAN

Updating the Firewall rule to allow Active Directory Services Inbound on TCP ports on the WAN interface

Ref 58: Updating the Firewall UDP Alias to include Active directory ports on the LAN

Updating the Firewall rule to allow Active Directory Services Inbound on TCP ports on the WAN interface

Ref 59: Created the Randomly allocated port used by Active Directory to use inside of TCP_Standard_Outbound

The use of both a main firewall connected to the internet and an internal firewall within a network serves to enhance security through multiple layers of protection. Here’s a breakdown of their roles:

Main Firewall (Perimeter Firewall):

Purpose: Acts as the first line of defense between the external world (the internet) and your internal network. Functions: Traffic Filtering: Monitors and controls incoming and outgoing traffic based on predefined security rules, allowing or blocking traffic based on IP addresses, ports, and protocols. Attack Prevention: Protects against external threats such as DDoS attacks, malware, and unauthorized access attempts. VPN Termination: Often handles VPN connections for remote users or branch offices. Network Address Translation (NAT): Hides internal IP addresses from external entities and translates them into public addresses. Internal Firewall (Internal or Layer 2/3 Firewall):

Purpose: Provides additional security within the internal network, protecting different segments or departments from each other. Functions: Segmenting the Network: Divides the network into segments (e.g., by department, sensitivity level, or function) to limit the spread of threats within the network. Access Control: Enforces policies for traffic between different internal segments, ensuring that only authorized users and devices can communicate across boundaries. Monitoring and Logging: Tracks internal network activity and detects unusual patterns or potential threats that might not be visible to the perimeter firewall. Threat Containment: Helps in isolating compromised systems or preventing lateral movement by attackers within the network. Benefits of This Dual Firewall Approach:

Defense in Depth: By having multiple layers of security, you reduce the risk of a single point of failure. Even if an attacker bypasses the perimeter firewall, the internal firewall can still offer protection. Granular Control: Internal firewalls allow for more precise control of traffic between different segments of your network, which is useful for implementing strict security policies and minimizing risks. Reduced Impact of Breaches: In the event of a security breach, internal firewalls can limit the scope of damage by preventing attackers from easily moving within the network. Compliance and Best Practices: Many regulatory frameworks and security best practices recommend or require the use of multiple layers of firewalls and network segmentation. In summary, the main firewall secures the boundary between the external internet and your internal network, while the internal firewall enhances security within the network, providing additional control and segmentation. This layered approach helps in building a more resilient and secure network infrastructure.

Active Directory Domain Services

Ref 60: DC01 IP Address configuration

Ref 61: DC01 remove ipv6 binding and allow remote management from the firewall

Ref 62: Added DC01 to Server Manager

Ref 63: Install Active Directory DS and DNS Roles

Ref 64: Created a new forest

Promote ot Domain Controller

Ref 65: Removing ipv6 and updating DNS

After successful Installation of ADDS update the ip configuration removing ipv6 and updating DNS

Ref 66: Join the Domain from the WDS01 VM

DNS Configuration

Ref 67: Setup DNS Server REverse Lookup Zones

Install DHCP and WINS ROles and Features

Ref 68: Added DHCP and WINS to DC02

DCHP Configuration

Ref 69: Adding DHCP Scopes for issuing IP Addresses and IP Configurations

Ref 70: DC01 Added IP Address Ranges for all Subnets

Ref 71: Added the Domain namd and DNS Ip Addresses

DC01 Setup WINS Server (Windows Internet Name Service)

Ref 72: WINS Server setup

DC02 Redundant Domain Controller

Ref 73: Added DC02 to Server Manager

Ref 74: Promoting DC02 as a Domain Controller

Installed Active Directory Domain Srevices and DNS Roles at the same times.

Ref 75: DC02 will replicate resources from DC01

Ref 76: Update the forwarders

Ref 77: DC02 DNS Zones were Replicated automatically from DC01

WINS SERVER for DC02

Ref 78: Replicate from DC01 for names and computers

Ref 79: Recored names of connected computers

Ref 80: Active Registrations then click find now - this will be replicated between DC01 and DC02

Ref 81: Showing that we successfully setup two domain controllers for avalability purposes

DHCP Final Setup

Ref 82: Splitting the Scopes of DC01 so that it is a shared resoponsibility between DC01 and DC02 50/50

Ref 83: Setting the Percentage split to 50/50

Ref 84: After the Scopes are Split on DC01 DHCP Server - We need to activate all the scopes on DC02 DHCP Server to have Redundant DHCP

Ref 85: DC02 - Restart the DHCP service and now our scopes are split and activated

The Green check shows it is running and Activated

LANR1-4-6

Ref 86: Make sure the DHCP Relay Agent now has our DC01 and DC02 ip addresses so that if computers need to get IP configurations, The router will send ttheir request to those Servers.

WDS01 Server - GUI

Ref 87: Added a mapped drive to the DC01 and DC02 secret shared Folders \\DC01.giovanni.cspec\C$

SOC Analyst PC - Installing Splunk Enterprise

This is used to monitor the computer logs and investigate suspicious activities.

Ref 88: Download the Splunk Enterprise Free trial from their website

Splunk: https://www.splunk.com/en_us/download/splunk-enterprise.html

Ref 89: Splunk downloaded and installed on the SOC Analyst COmputer on LAN 2

Ref 90: Setop the Receiving Port of 9997

This allows for computers to send logs to this computer using their port of 8089 and we will receive it on port 9997

Ref 91: Settup port 9997 for recieving Logs

Adding Index

Ref 92: Lets create an index to store our logs

This is like a bucket for logs

Ref 93: Create an index called endpoint

Ref 94: the "endpoint" index was successfully created

Open Advanced Firewall Configuration to allow Splunk in and out of the network

Ref 95: Create a "New Rule" and Select Program

This should be done on both the Splunk Server and the Client VMs, so logs are not denied or dropped

Ref 96: Locate Splunk within Program Files

Ref 97: Choose Splunk

Ref 98: Select the Bin (Binary) Folder

this is where the executable files live

Ref 99: Choose "Splunkd.exe"

Ref 100: Confirmation that its this program

Ref 101: Allow the Connection

Ref 102: Apply to all Profiles

Ref 103: Give it a Name "Splunkd Allow Inbound"

For Splunk ports to allow, You can Allow additionally Port 8089

Setup Splunk Universal Forwarders

We will collect our windows logs from PC04 on LAN 3

Ref 104: Download SPlunk Universal Forwarder

Splunk Universal Forwarder: https://www.splunk.com/en_us/download/universal-forwarder.html

Ref 105: The Download is complete on the PC4 Computer

Ref 106: Run the Setup

Then Click "Next"

Ref 107: Add username and Password

Leave the Generate Random Password checked

Ref 108: Set the Deployment Server to IP Address of the SOC Analyst computer

We did not setup a deployment server, But we can Put it for in the future we want to create one.

Ref 109: Set the Receiving Indexer

This is also going to be our Splunk Server

Download Sysmon

Ref 110: Microsoft SysInternals website

Sysmon: https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon

Download Sysmon Config File

Ref 111: Github - Select sysmonconfig.xml

Ref 112: inside the file to see its contents

Ref 113: Select Raw

Ref 114: Right click and Save as

Ref 115: Save it as xml and "Extract all"

Sysmon Config: https://github.com/olafhartong/sysmon-modular

Sysmon Config Raw: https://raw.githubusercontent.com/olafhartong/sysmon-modular/master/sysmonconfig.xml

Installing Sysmon

Ref 116: Copy the address

Copy the Address for later on on Powershell

Ref 117:

Installing Sysmon and Specifying a configuration file

cd C:\Users\Administrator.GIOVANNI\Downloads\Sysmon

.\Sysmon64.exe -i ..\sysmonconfig.xml

Now this will install Sysmon for you once you Select "Agree"

Instruct the Splunk forwarder on what we want to send over to our Splunk Server "input.conf"

Ref 118: where to find the input.conf file

** DO NOT EDIT the "input.conf" File under Defaults

Ref 119: input.conf

You could copy this file but we will create a new file

Open "Notepad" with administrative privileges

Save the file as "input.conf"

Ref 120: Save the File with the Events to forward configurations

Instructing SPlunk Forwarders to push Events relating to "Application", "Security", "System" and "Sysmon"

This will be in the Endpoint index

** "Remember to Save" **

[WinEventLog://Application]

index = endpoint

disabled = false

[WinEventLog://Security]

index = endpoint

disabled = false

[WinEventLog://System]

index = endpoint

disabled = false

[WinEventLog://Microsoft-Windows-Sysmon/Operational]

index = endpoint

disabled = false

renderXml = true

source = XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

Splunk Log on as

Ref 121: Go to properties to change the Log on as Field

Ref 122: NT Service

with this login - Splunk might not be able to collect logs, due to some of the permissions

Ref 123: Select "Local System Account" and then Select "Apply"

The new logon wont take into effect until we restart the Splunk Service

This is what we will do because we also updated our "inputs.conf" file

Ref 124: Now the Splunk service will log on as "Local System". This is exactly what we want

Splunk Stop and Start

Ref 125: Stop the Splunk Service

Restarting the Service seems to be getting an error. So Select Stop

Ref 126: Start the Splunk Service

Sysmon and Splunk Universal Forwarder Running and pushing logs

Ref 127: Both services are running

Splunk Server

Now its time to see our VM logs

Ref 128: Log into the Soc Analyst Splunk Server

Remember we've created the index "endpoint" earlier. Now all of the events are being sent over to that index

Click "Search"

Ref 129: Out PC4 is Pushing Events to our SOC Analyst Splunk Enterprise Server

Ref 130: Setting Add Data

Ref 131: Select forwarders

Ref 132: Our Computers are here

Ref 133: Enable Forward Monitoring

Installing Suricata

Ref 134: Installed suricata from the Package Manager page

Ref 135: Suricata 7.0.6 installation complete

Ref 136: Setting up Suricata Global Settings Part 1

Ref 137: Setting up Suricata Global Settings Part 2

Ref 138: Configure Suricata Global settings Part 3 - Create a Maxmind account

Ref 139: Configure Suricata Global settings Part 4 - Generate a new Maxmind license key

Ref 140: Configure Suricata Global settings Part 5 - Confirm the Generation of new license key

Ref 141: Configure Suricata Global settings Part 5 - Add the Maxmind License Key and Account ID to Suricata

Ref 142: Configure Suricata Global settings Part 5 - Save Global Setting

Ref 143: Configure Suricata Global settings Part 5

If you get errors, Uncheck this "Install snort rules" check box. This requires snort signup.

Ref 144: Update Suricata

Update Suricata rules to pull the signature data onto your instance of Suricata.

Ref 145: Create WAN Interface and Settings

Ref 146: Create WAN Interface and Settings - Part 2

Ref 147: Create WAN Interface and Settings - Part 3 - Save the Settings

Ref 148: Create WAN Interface and Catagories

Then Save the Settings

Ref 149: Start suricata for on the WAN Interface

Ref 150: Create LAN Interface and Settings

Create LAN interface - Use the Same settings except do not check "Block offenders"

Ref 151: Create LAN Interface and Catagories

Ref 115: Start suricata for on the LAN Interface

Ref 116: To verify that Suricata is working,

Notice that I was actually on my WDS01 to configure everything so far, But Now I am on the PC4 as the WDS01 HTTP was Blocked by Suricata

Ref 118: To take someone off the Block list - Click the x button

About

No description, website, or topics provided.

Resources

Stars

1 star

Watchers

1 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors