Assessment 1 Tips - jwells24/Tech-Journal GitHub Wiki

Assessment Description

  • For the assessment, you will be given a 3 zone network to configure that consists of: traveler. A WAN based road warrior user running Windows 10. (this replaces the linux rw01) edge01. A vyOS Firewall with three interfaces (WAN, DMZ, LAN). You will need to add an interface using vCenter. (this replaces fw01) nginx01. A DMZ based nginx web server running Ubuntu (this replaces web01 and apache) dhcp01. A LAN based dhcp server running Ubuntu

Requirements

  • All systems should have an accurate hostname.
  • All Linux systems should have a named sudo or administrator user.
  • The two new ubuntu systems do not have a firewall enabled, this is ok (for now)
  • wks1, mgmt01 should be able to surf the internet.
  • wks1, mgmt1 should be able to navigate to nginx01
  • mgmt01 should be able to ssh to nginx01
  • nginx01 should be able to ping log01
  • nginx01 and dhcp01 should log auth and auth/priv events and user events to log01/graylog.
  • nginx01 should have a custom web page (practice this on jump)
  • traveler should be able to get to nginx01's custom test page by navigating to edge01's WAN IP address.
  • dhcp must log dhcp events to graylog. This will require research before the assessment. You did a dhcp server in SYS255. Here is a great document for installing it on ubuntu.
  • traveler should be able to perform ssh keybased authentication with jump. Traveler is a Windows box, but ssh on powershell is nearly exactly the same as linux to include key generation.
  • dhcp01 should serve a pool of dhcp addresses to the LAN from .100 to .150. WKS1 should use dhcp addressing
  • edge01 should log kernel events (the firewall deny messages to graylog)

Hints

  • You do not need to work serially through this assessment, it is the end result that matters. If you are waiting for a reboot on traveler, then start configuring your other servers.
  • Get all communications working BEFORE creating zones and locking down the firewalls. It's terribly difficult to debug both services and network firewalls at the same time.
  • Make sure to link your firewalls to the appropriate From and To zones.
  • Make sure you have the correct netmask on all Linux systems.
  • --permanent flag on centos firewall configurations, reload after change.
  • Restart any service if you touch a configuration file (network, nginx, rsyslog, etc…).
  • Make sure you include the appropriate vsphere label on all deliverables where your name is not obvious in the console.
  • Check every VM's network settings to make sure they are on the correct segment.
  • Don't forget to look at /var/log/messages to debug firewall issues.
  • Do not try to use the default gateway address 10.0.17.2 as your WAN interface IP address as this will cause problems for other students and might be embarrassing.