Friday, February 9, 2018

My Cybersecurity Virtual Lab

I started learning network security when I took my CCNA Security back in 2012 and had various vendor certs like Check Point and Palo Alto. It's time for me to bring that knowledge and skills into the next level of Cybersecurity.

I'll take up first the CompTIA CySA+ in order to renew my Security+ (extend for another 3 years) and while waiting for my CCNA Cyber Ops cohort to start. Aside from doing the labs, which is very essential, I'm reading two study guides by Chapple (Sybex) and McMillan (Pearson). I'm also watching the training videos from CBT Nuggets by Keith Barker which have five parts:
  • Threat Management
  • Vulnerability Management
  • Cyber Incident Response
  • Security Architecture
  • Cybersecurity Tools and Technology
To help me prepare, I've replaced my Dell PowerEdge 1950 Server with an Intel NUC so I could save power and rack space (it also looks cute). It has one LAN port, a built-in wifi, two USB ports, a 19v DC input and a mini HDMI port.


This is the logical diagram for that I've used for my virtual lab. I run in GNS3 a Cisco 7200 router, an ASA 8.4 firewall, an IOU Layer 2 switch and a mix of Linux and Windows clients running in VirtualBox.


Below are the configurations for the Cisco devices. I'll share the setup for the Linux clients and Windows 2012 Server on succeeding posts.


Cisco 7200 IOS Router

R1#show run
Building configuration...
Current configuration : 1561 bytes
!
! Last configuration change at 10:03:25 UTC Thu Feb 1 2018
upgrade fpd auto
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
enable password cisco
!
no aaa new-model
no ip icmp rate-limit unreachable
!
!
!
!
!
!
ip name-server 8.8.8.8
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
username admin privilege 15 password 0 cisco
!
redundancy
!
!
ip tcp synwait-time 5
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
 description ### WAN ###
 ip address 192.168.137.2 255.255.255.0
 ip nat outside
 ip virtual-reassembly in
 duplex half
!
interface FastEthernet1/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet1/1
 description ### LAN ###
 ip address 200.1.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 1 interface FastEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 192.168.137.1
ip route 192.168.1.0 255.255.255.0 200.1.1.2
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 200.1.1.0 0.0.0.255
no cdp log mismatch duplex
!
!
!
control-plane
!
!
!
mgcp profile default
!
!
!
gatekeeper
 shutdown
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 stopbits 1
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 stopbits 1
line vty 0 4
 password cisco
 login
 transport input all
!
!
end


Cisco ASA Firewall

ciscoasa# show run
: Saved
:
ASA Version 8.4(2)
!
hostname ciscoasa
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
 nameif outside
 security-level 0
 ip address 200.1.1.2 255.255.255.0
!
interface GigabitEthernet1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet3
 shutdown
 no nameif
 no security-level
 no ip address
!
banner login ### ASA FW ###
ftp mode passive
object network INSIDE_LAN
 subnet 192.168.1.0 255.255.255.0
object network IDENTITY_NAT
 subnet 192.168.1.0 255.255.255.0
access-list OUTSIDE-IN extended permit icmp any 192.168.1.0 255.255.255.0 echo
access-list OUTSIDE-IN extended permit icmp any 192.168.1.0 255.255.255.0 time-exceeded
access-list OUTSIDE-IN extended permit icmp any 192.168.1.0 255.255.255.0 unreachable
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
object network INSIDE_LAN
 nat (inside,outside) static IDENTITY_NAT
access-group OUTSIDE-IN in interface outside
route outside 0.0.0.0 0.0.0.0 200.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 1440
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect icmp
  inspect icmp error
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e
: end


Cisco IOU Layer 2 Switch

SW1#show run
Building configuration...
Current configuration : 1931 bytes
!
! Last configuration change at 01:00:45 UTC Sat Feb 3 2018
!
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname SW1
!
boot-start-marker
boot-end-marker
!
!
logging discriminator EXCESS severity drops 6 msg-body drops EXCESSCOLL
logging buffered 50000
logging console discriminator EXCESS
enable password cisco
!
no aaa new-model
no ip icmp rate-limit unreachable
!
ip cef
!
!
no ip domain-lookup
no ipv6 cef
ipv6 multicast rpf use-bgp
!
!
!
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
!
vlan internal allocation policy ascending
!
ip tcp synwait-time 5
!
!
!
!
!
!
!
!
!
interface Ethernet0/0
 duplex auto
!
interface Ethernet0/1
 duplex auto
!
interface Ethernet0/2
 duplex auto
!
interface Ethernet0/3
 duplex auto
!
interface Ethernet1/0
 duplex auto
!
interface Ethernet1/1
 description ### ASA FW - INSIDE ###
 duplex auto
!
interface Ethernet1/2
 description ### R2 - 192.168.1.3 ###
 duplex auto
!
interface Ethernet1/3
 description ### WIN PC - 192.168.1.50 ###
 duplex auto
!
interface Ethernet2/0
 description ### UBUNTU LINUX ###
 duplex auto
!
interface Ethernet2/1
 description ### METASPLOITABLE LINUX ###
 duplex auto
!
interface Ethernet2/2
 description ### KALI LINUX ###
 duplex auto
!
interface Ethernet2/3
 description ### WIN 2012 ###
 duplex auto
!
interface Ethernet3/0
 duplex auto
!
interface Ethernet3/1
 duplex auto
!
interface Ethernet3/2
 duplex auto
!
interface Ethernet3/3
 duplex auto
!
interface Vlan1
 ip address 192.168.1.2 255.255.255.0
!
ip default-gateway 192.168.1.1
!
no ip http server
!
!
!
!
!
control-plane
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 password cisco
 login
!
end

Saturday, February 3, 2018

Cisco NetAcad Free Cybersecurity and Linux Courses

Cisco Networking Academy (NetAcad) has launched free courses on various IT domains such as Cybersecurity, Linux, IoT, etc. It aims to fill in the knowledge gap (and the lack of) for Cybersecurity professionals.


I've enrolled in the Intro to Cybersecurity and Linux Unhatched courses as a precursor for my CCNA Cyber Ops. I was lucky to be chosen in the Cisco's Global Cybersecurity Scholarship Program.


You'll get a Certificate of Completion after successfully taking the final exam (up to 3 takes) and completing the course feedback.


The Linux Unhatched course is pretty basic and it has an Ubuntu Linux Virtual Machine that you can play around.


Since I was so engaged with the free courses I was also able to complete the Cybersecurity Essentials course within a short period of time.