I started learning network security when I took my CCNA Security back in 2012 and had various vendor certs like Check Point and Palo Alto. It's time for me to bring that knowledge and skills into the next level of Cybersecurity.
I'll take up first the CompTIA CySA+ in order to renew my Security+ (extend for another 3 years) and while waiting for my CCNA Cyber Ops cohort to start. Aside from doing the labs, which is very essential, I'm reading two study guides by Chapple (Sybex) and McMillan (Pearson). I'm also watching the training videos from CBT Nuggets by Keith Barker which have five parts:
This is the logical diagram for that I've used for my virtual lab. I run in GNS3 a Cisco 7200 router, an ASA 8.4 firewall, an IOU Layer 2 switch and a mix of Linux and Windows clients running in VirtualBox.
Below are the configurations for the Cisco devices. I'll share the setup for the Linux clients and Windows 2012 Server on succeeding posts.
Cisco 7200 IOS Router
R1#show run
Building configuration...
Current configuration : 1561 bytes
!
! Last configuration change at 10:03:25 UTC Thu Feb 1 2018
upgrade fpd auto
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
enable password cisco
!
no aaa new-model
no ip icmp rate-limit unreachable
!
!
!
!
!
!
ip name-server 8.8.8.8
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
username admin privilege 15 password 0 cisco
!
redundancy
!
!
ip tcp synwait-time 5
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
description ### WAN ###
ip address 192.168.137.2 255.255.255.0
ip nat outside
ip virtual-reassembly in
duplex half
!
interface FastEthernet1/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet1/1
description ### LAN ###
ip address 200.1.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 1 interface FastEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 192.168.137.1
ip route 192.168.1.0 255.255.255.0 200.1.1.2
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 200.1.1.0 0.0.0.255
no cdp log mismatch duplex
!
!
!
control-plane
!
!
!
mgcp profile default
!
!
!
gatekeeper
shutdown
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
password cisco
login
transport input all
!
!
end
Cisco ASA Firewall
ciscoasa# show run
: Saved
:
ASA Version 8.4(2)
!
hostname ciscoasa
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
nameif outside
security-level 0
ip address 200.1.1.2 255.255.255.0
!
interface GigabitEthernet1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet3
shutdown
no nameif
no security-level
no ip address
!
banner login ### ASA FW ###
ftp mode passive
object network INSIDE_LAN
subnet 192.168.1.0 255.255.255.0
object network IDENTITY_NAT
subnet 192.168.1.0 255.255.255.0
access-list OUTSIDE-IN extended permit icmp any 192.168.1.0 255.255.255.0 echo
access-list OUTSIDE-IN extended permit icmp any 192.168.1.0 255.255.255.0 time-exceeded
access-list OUTSIDE-IN extended permit icmp any 192.168.1.0 255.255.255.0 unreachable
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
object network INSIDE_LAN
nat (inside,outside) static IDENTITY_NAT
access-group OUTSIDE-IN in interface outside
route outside 0.0.0.0 0.0.0.0 200.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 1440
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect icmp
inspect icmp error
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e
: end
Cisco IOU Layer 2 Switch
SW1#show run
Building configuration...
Current configuration : 1931 bytes
!
! Last configuration change at 01:00:45 UTC Sat Feb 3 2018
!
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname SW1
!
boot-start-marker
boot-end-marker
!
!
logging discriminator EXCESS severity drops 6 msg-body drops EXCESSCOLL
logging buffered 50000
logging console discriminator EXCESS
enable password cisco
!
no aaa new-model
no ip icmp rate-limit unreachable
!
ip cef
!
!
no ip domain-lookup
no ipv6 cef
ipv6 multicast rpf use-bgp
!
!
!
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
!
vlan internal allocation policy ascending
!
ip tcp synwait-time 5
!
!
!
!
!
!
!
!
!
interface Ethernet0/0
duplex auto
!
interface Ethernet0/1
duplex auto
!
interface Ethernet0/2
duplex auto
!
interface Ethernet0/3
duplex auto
!
interface Ethernet1/0
duplex auto
!
interface Ethernet1/1
description ### ASA FW - INSIDE ###
duplex auto
!
interface Ethernet1/2
description ### R2 - 192.168.1.3 ###
duplex auto
!
interface Ethernet1/3
description ### WIN PC - 192.168.1.50 ###
duplex auto
!
interface Ethernet2/0
description ### UBUNTU LINUX ###
duplex auto
!
interface Ethernet2/1
description ### METASPLOITABLE LINUX ###
duplex auto
!
interface Ethernet2/2
description ### KALI LINUX ###
duplex auto
!
interface Ethernet2/3
description ### WIN 2012 ###
duplex auto
!
interface Ethernet3/0
duplex auto
!
interface Ethernet3/1
duplex auto
!
interface Ethernet3/2
duplex auto
!
interface Ethernet3/3
duplex auto
!
interface Vlan1
ip address 192.168.1.2 255.255.255.0
!
ip default-gateway 192.168.1.1
!
no ip http server
!
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
password cisco
login
!
end
I'll take up first the CompTIA CySA+ in order to renew my Security+ (extend for another 3 years) and while waiting for my CCNA Cyber Ops cohort to start. Aside from doing the labs, which is very essential, I'm reading two study guides by Chapple (Sybex) and McMillan (Pearson). I'm also watching the training videos from CBT Nuggets by Keith Barker which have five parts:
- Threat Management
- Vulnerability Management
- Cyber Incident Response
- Security Architecture
- Cybersecurity Tools and Technology
This is the logical diagram for that I've used for my virtual lab. I run in GNS3 a Cisco 7200 router, an ASA 8.4 firewall, an IOU Layer 2 switch and a mix of Linux and Windows clients running in VirtualBox.
Below are the configurations for the Cisco devices. I'll share the setup for the Linux clients and Windows 2012 Server on succeeding posts.
Cisco 7200 IOS Router
R1#show run
Building configuration...
Current configuration : 1561 bytes
!
! Last configuration change at 10:03:25 UTC Thu Feb 1 2018
upgrade fpd auto
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
enable password cisco
!
no aaa new-model
no ip icmp rate-limit unreachable
!
!
!
!
!
!
ip name-server 8.8.8.8
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
username admin privilege 15 password 0 cisco
!
redundancy
!
!
ip tcp synwait-time 5
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
description ### WAN ###
ip address 192.168.137.2 255.255.255.0
ip nat outside
ip virtual-reassembly in
duplex half
!
interface FastEthernet1/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet1/1
description ### LAN ###
ip address 200.1.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 1 interface FastEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 192.168.137.1
ip route 192.168.1.0 255.255.255.0 200.1.1.2
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 200.1.1.0 0.0.0.255
no cdp log mismatch duplex
!
!
!
control-plane
!
!
!
mgcp profile default
!
!
!
gatekeeper
shutdown
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
password cisco
login
transport input all
!
!
end
Cisco ASA Firewall
ciscoasa# show run
: Saved
:
ASA Version 8.4(2)
!
hostname ciscoasa
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
nameif outside
security-level 0
ip address 200.1.1.2 255.255.255.0
!
interface GigabitEthernet1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet3
shutdown
no nameif
no security-level
no ip address
!
banner login ### ASA FW ###
ftp mode passive
object network INSIDE_LAN
subnet 192.168.1.0 255.255.255.0
object network IDENTITY_NAT
subnet 192.168.1.0 255.255.255.0
access-list OUTSIDE-IN extended permit icmp any 192.168.1.0 255.255.255.0 echo
access-list OUTSIDE-IN extended permit icmp any 192.168.1.0 255.255.255.0 time-exceeded
access-list OUTSIDE-IN extended permit icmp any 192.168.1.0 255.255.255.0 unreachable
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
object network INSIDE_LAN
nat (inside,outside) static IDENTITY_NAT
access-group OUTSIDE-IN in interface outside
route outside 0.0.0.0 0.0.0.0 200.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 1440
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect icmp
inspect icmp error
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e
: end
Cisco IOU Layer 2 Switch
SW1#show run
Building configuration...
Current configuration : 1931 bytes
!
! Last configuration change at 01:00:45 UTC Sat Feb 3 2018
!
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname SW1
!
boot-start-marker
boot-end-marker
!
!
logging discriminator EXCESS severity drops 6 msg-body drops EXCESSCOLL
logging buffered 50000
logging console discriminator EXCESS
enable password cisco
!
no aaa new-model
no ip icmp rate-limit unreachable
!
ip cef
!
!
no ip domain-lookup
no ipv6 cef
ipv6 multicast rpf use-bgp
!
!
!
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
!
vlan internal allocation policy ascending
!
ip tcp synwait-time 5
!
!
!
!
!
!
!
!
!
interface Ethernet0/0
duplex auto
!
interface Ethernet0/1
duplex auto
!
interface Ethernet0/2
duplex auto
!
interface Ethernet0/3
duplex auto
!
interface Ethernet1/0
duplex auto
!
interface Ethernet1/1
description ### ASA FW - INSIDE ###
duplex auto
!
interface Ethernet1/2
description ### R2 - 192.168.1.3 ###
duplex auto
!
interface Ethernet1/3
description ### WIN PC - 192.168.1.50 ###
duplex auto
!
interface Ethernet2/0
description ### UBUNTU LINUX ###
duplex auto
!
interface Ethernet2/1
description ### METASPLOITABLE LINUX ###
duplex auto
!
interface Ethernet2/2
description ### KALI LINUX ###
duplex auto
!
interface Ethernet2/3
description ### WIN 2012 ###
duplex auto
!
interface Ethernet3/0
duplex auto
!
interface Ethernet3/1
duplex auto
!
interface Ethernet3/2
duplex auto
!
interface Ethernet3/3
duplex auto
!
interface Vlan1
ip address 192.168.1.2 255.255.255.0
!
ip default-gateway 192.168.1.1
!
no ip http server
!
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
password cisco
login
!
end