Lab 3.1 Segmentation - savannahc502/SavC-TechJournal-SEC350 GitHub Wiki

Pre-Lab Architecture

image

In this lab, I am going to segment the network by adding a new firewall and a new network (MGMT). The log01 server will be retired and replaced with a new server on the MGMT network.

Step 1: Configure WKS01

wks01-savannah will be a Windows 10 VM that represents a typical client in the internal LAN (SEC-350-LAN). I set the LAN interface on fw01-savannah last week. Basic Setup:

  • Network Adapter on the LAN
  • Create a named user (savannah) and add them to the local administrators group.
    • lusrmgr.msc (Account System Settings) > Users > Add New User (savannah) > Password Never Expires
    • Properties > Member of > Add > Administrators > Apply
  • Change the hostname to wks01-savannah.
    • View PC Name > Rename this PC > Reboot
  • IP Address: 172.16.150.50
  • Netmask: 255.255.255.0
  • Gateway: 172.16.150.2
  • DNS: 172.16.150.2
    • Control Panel > Network and Internet > Network and Sharing Center.
    • Ethernet 0 Properties > IPv4 Properties > Internet Protocol Version 4

Deliverable 1

image

Step 2: Update fw01 - LAN Configuration

In week 1 I created a NAT source rule 10 for the DMZ. In week 2, I created a new NAT source rule 20 for the LAN. In this lab, I need to create a source rule 30 for NAT FROM MGMT to WAN. On fw01-savannah:

configure
set nat source rule 30 description "NAT FROM MGMT to WAN"
set nat source rule 30 outbound-interface eth0
set nat source rule 30 source address 172.16.200.0/28
set nat source rule 30 translation address masquerade
commit 
save 

set service dns forwarding listen-address 172.16.200.2

Deliverable 2

image

  • wks01-savannah should be able to access the web server that is in the DMZ zone

Step 3: Configure fw-mgmt

Refer to the network diagram in the start of the lab documentation to understand the importance of setting up this firewall. Originally, there was a singular mgmt vm on the LAN. Now, I want to have a second firewall (fw-mgmt-savannah) to separate the main LAN production network from the systems used by administrators to manage this network (mgmt02-savannah and wazuh).

Configure the interfaces as below on fw-mgmt-savannah:

image

Refer to VyOS Commands Documentation for setup:

  • Change VyOS default password
  • Set hostname fw-mgmt-savannah
  • If DHCP configuration exists when show interfaces is run, delete it
  • Set a Description and IP Address on Each Interface
    • eth0: LAN-172.16.150.3/24
    • eth1: MGMT-172.16.200.2/28

image

  • Run show interfaces to confirm changes

DNS and Static Routing

Set the following:

  • gateway next-hop (static route)
  • name server to your fw01’s LAN interface address (172.16.150.2).
  • set dns forwarding such that requests are allowed from your management subnet and management interface.
set protocols static route 0.0.0.0/0 next-hop 172.16.150.2

set system name-server 172.16.150.2

set service dns forwarding listen-address 172.16.200.2 
set service dns forwarding allow-from 172.16.200.0/28
set service dns forwarding system

commit 
save

Step 4: Configure mgmt02

mgmt02 is the windows server that will be placed on the management segment

  • Management Network adapter
  • IP Address: 172.16.200.11
  • Netmask: 255.255.255.240
  • Gateway: 172.16.200.2
  • DNS: 172.16.200.2
  • Hostname: mgmt02-savannah
  • Change default password
  • Privileged account (savannah)

Step 5: RIP on FW1 and FW-MGMT

Rather than double NAT from MGMT to LAN and LAN to WAN we will implement RIP which will greatly simplify the routing from MGMT to LAN. It will also increase our visibility for sensors outside of the MGMT network.

  • We are going to configure fw1 and fw-mgmt in such a way that they know of each other's attached networks.

On fw01, enable RIP on eth2(LAN) and advertise the DMZ Network

set protocols rip interface eth2
set protocols rip network 172.16.50.0/29

On fw-mgmt, Enable RIP on eth0(LAN) and advertise the MGMT network

set protocols rip interface eth0
set protocols rip network '172.16.200.0/28'

On fw01, you should have already allowed NAT traffic from the MGMT network (rule 30). On fw-mgmt01:

set nat source rule 30 description "MGMT-LAN"
set nat source rule 30 outbound-interface eth0
set nat source rule 30 source address 172.16.200.0/28
set nat source rule 30 translation address masquerade
set service dns forwarding allow-from 172.16.200.0/28
set system name-server 172.16.150.2

Deliverable 3

image

  • Ping on mngmt02 to champlain.edu to show that the firewalls have been configured properly and DNS requests are able to leave the segmented networks.

Step 6: Shutdown log01-savannah

Since we will set up the wazuh server on the jump box, we no longer need log01-savannah. Turn it off.

Step 7: Configure jump01-savannah for wazuh

In the next lab, we will install wazuh on the jump box. This step configures the box on the SEC350-MGMT network.

  • Set the Network adapter on management segment
  • Boot up the box (will take a bit)
  • Change default password
  • Create named sudo user

IP Information:

  • IP: 172.16.200.10/28
  • Gateway: 172.16.200.2
  • DNS: 172.16.200.2
  • Hostname: wazuh-savannah

Use netplan file linked here to setup the ip information above:

cd /etc/netplan
vi 00-installer-config.yaml
sudo netplan apply
sudo hostnamectl set-hostname wazuh-savannah

image

Deliverable 4

image

  • Reboot the wazuh-savannah so the hostname shows up and then show off configuration via ping

Step 8: Update client logging configurations

[!NOTE] fw01 and web01 have stale syslog configurations because we have decommissioned log01. Remove those log forwarding messages from the vyos syslog configuration and the web01 client configuration. In the near future, our wazuh agents will forward specific messages (instead of all of them)

On web01, remove your rsyslog dropin configuration from /etc/rsyslog.d:

cd /etc/rsyslog.d
rm sec350.conf

On fw1, remove syslog host 172.16.50.5 setting from configuration:

configure
delete system syslog host 172.16.50.5
commit 
save

Deliverable 5

Deliverable 5. On mgmt1, provide a screenshot similar to the one below showing:

  • ssh from mgmt1 on LAN to wazuh on MGMT
  • another ping to google
  • traceroute to champlain.edu with 4 hops

image

Deliverable 6

image

  • Shows a ping from web01 to wazuh.

Deliverable 7

Export the firewall configurations at the end of week 3 for fw-mgmt and fw1. The following command line will provide the most usable format. Provide screenshots or links to your firewall configurations in github.

show configuration commands | grep -v "syslog global\|ntp\|login\|console\|config\|hw-id\|loopback\|conntrack" >> output.txt
less output.txt

fw01-savannah

image

image

fw-mgmt-savannah

image