My Cybersecurity Journal

My family and I recently visited Hong Kong Disneyland to celebrate my daughter's seventh birthday. We stayed in Explorer Lodge Hotel and were greeted by Disney characters like Goofy, Minnie and Mickey Mouse. We absolutely had a great time and will surely be back again.

We spent the next few days in Tsim Sha Tsui, which is a shopping district in Kowloon Island. Our hotel was just near Victoria Harbour so we went there to get a glimpse of the lights and sound show.

We also went up to Victoria Peak in Hong Kong Island via a vintage tram. It was windy and raining at the Sky Terrace so we just stayed indoors shopping for souvenirs.

Proxy servers can be appliances, or they can be software that is installed on a server operating system. These servers act like a proxy firewall in that they create the web connection between systems on their behalf, but they can typically allow and disallow traffic on a more granular basis.

Proxy servers can provide an additional beneficial function called web caching. When a proxy server is configured to provide web caching, it saves a copy of all web pages that have been delivered to internal computers in a web cache. If any user requests the same page later, the proxy server has a local copy and need not spend the time and effort to retrieve it from the Internet. This greatly improves web performance for frequently requested pages.

You can install a local proxy server in order to monitor and apply IT policy on web traffic (HTTP/HTTPS). I tried to install Proxy Workbench (PWB) in Windows 7 VM and followed the installation wizard.

PWB will pop-up a warning saying it has several common ports configured automatically. Just click OK.

Click 8080 HTTP Proxy - Web and you'll see HTTP is already ticked (assigned). To verify the port, click Configure HTTP for port 8080

To test PWB, open Internet Explorer (my Windows 10 machine) > Tools > Internet options.

Under Connections tab > click LAN settings.

Tick Use a proxy server for your LAN > type the Address of the Proxy Server > type Port 8080 for HTTP > click OK > then OK again.

You can monitor the HTTP traffic in PWB.

You can view the details of the HTTP traffic by clicking a specific TCP transaction

You can also use an online proxy server on the Internet. I've installed ProxySwitcher and followed the installation wizard.

Once installation is finished, click Start 15 Day Trial.

A Welcome pop-up will appear ,just click Next.

Click Find New Servers, Rescan Servers, Recheck Dead > click Finish.

ProxySwitcher will automatically list and download the online proxy servers from around the world.

To use one of the proxy servers, go to Basic Anonymity and double click (or click the Switch to Selected Proxy Server icon above) a specific proxy server (Ukraine in this case). The switch icon will show as connected or turn into green.

You can verify the current proxy server IP address on your machine using an online tool such as whatsmyip.org. My web browser displayed the Ukraine public IP address (195.162.81.91 in this case).

You can try using another proxy server by doing a double click (Russia in this case).

Verify again the new proxy server IP address being on the machine.

There are a number of Cisco Firepower Management Center models. Choose the one that’s right for your organization based on the number of sensor appliances to be monitored (both physical and virtual), the number of hosts in your environment, and the anticipated security events rate. All models provide the same management capabilities, including:
* Centralized device, license, event, and policy management
* Role-based management (segmented and isolated views and duties based on administrator role or group)
* Customizable dashboard with custom and template-based reports
* Comprehensive reporting and alerts for both general and focused information
* Event and contextual information displayed in hyperlinked tables, graphs, and charts
* Network behavior and performance monitoring
* Robust high-availability options to help ensure there’s no single point of failure
* Correlation and remediation features for real-time threat response
* Open APIs for integration with third-party solutions and customer work streams, such as firewalls, network infrastructure, log management, SIEM, trouble ticketing, and patch management

With an FMC, you can manage one or more devices running:
* The same major version as the FMC, including patches. Although you can manage a patched device with an unpatched FMC, we recommend you upgrade both. This allows you to take advantage of any new features and bug fixes.
* Some older major versions and patches to those major versions. Although you can manage an older device with a newer FMC, you cannot fully take advantage of new features and bug fixes until you upgrade both.

I was able to deploy the Cisco Firepower Management Center virtual (FMCv) in VMware Workstation. You can download the FMCv appliance compressed image from the Cisco software download site (with valid CCO account). The FMCv can support up to 25 sensors. Since I'm running ASA version 9.8(2)38 and FirePOWER version 6.2.3-83 based on the compatibility matrix, I need to run an FMC using version 6.2.3.

Extract Cisco_Firepower_Management_Center_Virtual_VMware-6.2.3-83.tar > double-click the VMware ESXi OVF file in order for the VMware Workstation to import the VM settings.

Click Import

Right-click on FMC VM > click Network Adapter > change Network Connection to Custom:VMNet0 (my internal 192.168.1.0/24 subnet).

Power on the VM (click the green arrow).

The installation almost took 40 mins to finish. The default login is: admin / Admin123

Backup the VM by doing a right-click > Power Off.

I've renamed the VM to FMCv > right-click > Snapshot > type a name > Take Snapshot.

I moved the VM under the CYBER folder > Power on the VM.

The FMC booted but showed an error that it didn't shutdown properly and running DB (database) check. This will take around 5 mins to finish.

Issue an ifconfig to view the FMC management IP address which is 192.166.45.45/24 (default)

To change the FMC IP address, issue a sudo Ifconfig eth0 192.168.1.200 netmask 255.255.255.0

Type the default password (Admin123) when prompted.

From a machine or NMS on the same subnet, open a web browser and type https://192.168.1.200. It will show a warning Your connection is not secure since the FMC self-sign cert is not yet installed on the machine.

Click Advanced > Add Exception > Confirm Security Exception in order to accept the self-signed certificate.

You'll get to the FMC main login page. Notice there's a warning System processes are starting, please wait.

I waited for several minutes/hours and even rebooted the VM but the error is still there. Just let it run overnight if you're using VMWare Workstation and the error will be gone the next day.

Once you're login, it will ask you to change the default password. You can also change other settings such as the FMC hostname, domain and DNS server on this page.

Skip the rest of the fields (you can change these System settings later). Tick I have read and agree to the End User License Agreement > click Apply

This will take a few minutes to finish and then the Summary Dashboard will be displayed.

To perform the FMC post-installation configuration (before adding any managed devices such as FTD or ASA with FirePOWER), just go to System > Configuration tab.

You'll be automatically redirected to Information, where you can change the FMC Name (FQDN).

You can lockdown remote access on certain NMS IP or subnet by going to Access > Add Rules.

Type the IP address > tick Port: SSH, HTTPS or SNMP > click Add > click Save every time you make any changes.

You can remove the any Host entries afterwards (click the trash bin icon).

You can perform FMC appliance Shutdown, Reboot or Restart under Process. These can only be performed on a FMC hardware or server platforms such as the FMC 1000, FMC 2500 or FMC 4500.

You can perform these actions in the vSphere client when running FMC a VMware environment.

The Audit Log Certificate is used to integrate with a Public Key Infrastructure (PKI).

You can enable and send Syslogs under Audit Log.

Choose Enabled under Send Audit Log to Syslog > type the Syslog server IP address under Host > choose SYSLOG under the Facility code

Choose INFO (Severity level 6) under the Severity level.

You optionally type a Tag (FMC in this case) to identify the syslog was generated by the FMC > click Save.

I ran a 3CDaemon Syslog server in my NMS (192.168.1.100). Notice an Informational Syslog (Severity Level 6) was generated from FMCv.

You can create a custom login banner under Login Banner > type the banner message (complying with your IT/security policy) > Save.

You'll see the custom banner whenever you login to FMC via SSH or HTTPS.

You can enable Change Reconciliation to send an email report for any changes made on the FMC.

I'll just show the rest of the FMC configuration options. You can refer to the FMC configuration guide for more info.

You can edit the FMC Management IPv4 address (eth0), add static routes, hostname, DNS settings and Remote Management Port (8305) under Management Interfaces.