CompTIA Security +Security Portfolio PracticalTable of ContentsAim and Objectives 3Task 1 Active Directory, DNS and Print Services .4Task 2 Exchange Server .32Task 3 Barracuda Spam Filter .39Task 4 Microsoft Office Outlook ..44Task 5 Site-to-site VPN ..55Task 6 Radius Server AAA .60Task 7 TACACS + Server AAA ..64Task 8 Vulnerability Assessment ..66Task 9 NVD National Vulnerability Database 71Task 10 CISCO Intrusion Prevention Configuration 73Task 11 CISCO Context Based Access Firewall ..77Task 12 CISCO Zone Based firewall .80Task 13 Fortinet Unified Threat Management .84Task 14 Cyberoam Unified Threat management .87Recommendation 92REFERENCES ..93 Aim The aim of this assessment is to discuss the methods on securing hardware and software in an environment.Objectives: To explain how to install and configure windows networkTo discuss the firewall installation and IDS correctlyTo deliberate the use of mail serverTo enable remote accessTo outline the five vulnerabilities found in computerTo demonstrate blocked vulnerabilitiesTo make a demonstration of VPNTask 1 Active Directory, DNS and Print ServerActive Directory is designed by Microsoft for directory services and is part of Windows 2000 architecture. It is a standard system for network management for users data, security and resources. It has a minimum system requirement which is 1.4GHz, 512MB RAM, 64GB disk space and an ethernet adapter. [1] Rouse. (2016).Steps on how to setup an Active Directory: Open the Server Manager from the windows start button.Figure 1.1 Dashboard of Server ManagerIn the deployment configuration select the Add a domain controllerFigure 1.2 Deployment Configuration Adding a domainIn the deployment configuration select the Add new ForestFigure 1.3 Deployment Configuration Adding a new ForestIn the Root domain name below the domain information type the desired root domain name.Figure 1.4 Specifying the Root domain nameIn the domain controller option type the desired password and confirm your password.Figure 1.5 Domain Controller dialog boxAdditional option for adding the NetBIOS domain nameFigure 1.6 Adding NetBIOS domain nameSelection of paths where to put the AD DS database log filesFigure 1.7 Location of the AD DS database log filesReviewing the options for the selected active directory domain servicesFigure 1.8 Review selectionChecking the installation guide before installing all desired settingsFigure 1.9 Prerequisites checkOnce installed, verify the username and password.Figure 1.10 Windows Server Login pageIn the network and sharing centre, go to change adapter settings then go to properties.Figure 1.11 Ethernet propertiesOnce the properties are clicked, enter the desired IP address, subnet mask and default gateway.Figure 1.12 Internet protocol TCP and IPv4 propertiesDomain controller has been set together with the IP addresses.Figure 1.13 Network and Sharing CenterEditing the Computer Name/Domain and joining in the domainFigure 1.14 Domain name changesIn the Server Manager, choose the Active Directory and UsersFigure 1.15 Server Manager GUIIn the Active directory users and computers, you can find all the list information about the domain.Figure 1.16 Active directory users and computersIn the Active directory users and computers, add New Object then type the desired name.Figure 1.17 New Object Dialog boxAs you could see the ITD was added to the Active Directory UsersFigure 1.18Filling up the New Object to be created in the ITD domainFigure 1.19a New Object fill-up dialog boxFigure 1.19b New Object was created successfullyCreating the group name for the new objectFigure 1.20 New Object GroupManager was successfully added to the ITD domainFigure 1.21 Active Directory Bryan David and ManagerPrint ServerDownload a copy of the HP printer installer from the official HP website.Figure 1.1.1 HP websiteFrom the HP website, download the installer of the selected printer.Figure 1.1.2HP installerThis will be the .exe file of the HP printer installerFigure 1.1.3 HPePrintAPPx64bitIn the server manager, select the add role and features.Figure 1.1.4Server Manager dashboardAdding roles and features wizard for the HP printerFigure 1.1.5Roles and features wizardSelect the role-based or feature-based installation for the print server.Figure 1.1.6Installation type for HP printer serverIn the server selection, select a server from the server pool.Figure 1.1.7 Server SelectionAdd the print and document services as the feature for the HP printer.Figure 1.1.8 Add roles and feature wizardIn the print and document services, click next.Figure 1.1.9 Print and document services Tick the Print server, scan server and internet printing for the role of HP print services.Figure 1.1.10 role services for the HP printerIn the Web server role(IIS), click next.Figure 1.1.11 Web server role (IIS)Select all role services for the Print server desired.Figure 1.1.12 Web server for role serviceFor the confirmation of the roles and features, review all selected and desired roles to be added.Figure 1.1.13 Confirmation of roles and featuresThe result for the roles and features together with the installation of all roles added.Figure 1.1.14 Result dialog box for the roles and featuresIn the server manager, select the print management.Figure 1.1.15Print management dropdown listIn the print management, select filters, All printers.Figure 1.1.16 Print managementIn the all printers dropdown list, select the desired printer.Figure 1.1.17 All printersClick the downloaded printer installer from the files downloaded.Figure 1.1.18 Printer installerThe HP ePrint installer, click install.Figure 1.1.19installer for the HP printerThe HP printer installer will install automatically.Figure 1.1.20 HP printer installerThe HP printer installation is successfulFigure 1.1.21 Printer installationGo back to the print management to select the desired printer.Figure 1.1.22Print managementThe HP printer will appear in the print management.Figure 1.1.23 HP printer in the print managementIn the deploy with group policy, browse the group policy object name.Figure 1.1.24 Deploy with GPIn the browse for GPO, select the desired domain name.Figure 1.1.25 Browse GPOSelect the Printer Group Policy with the domain bryan.comFigure 1.1.26 Browse GPOIn the deploy with GP, add the bry GPO.Figure 1.1.27 deploy with GPPrinter deployment is successfulFigure 1.1.28 Print management dialog box Verification for the successful printer deploymentFigure 1.1.29 deployment successful dialog boxHP eprint is successfully configured.Figure 1.1.30 print management dialog boxIn the HP printer, right click then click the properties.Figure 1.1.31 properties of the HP printerIn the properties, select the security tab.Figure 1.1.32 security tab for the HP printer propertiesIn the security tab of the HP printer, select the administrator then tick the allow button for the print, manage the printer and manage documents.Figure 1.1.33 permission for administratorTask 2 Exchange ServerExchange server is a Microsoft product for messaging system that includes mail server, email client and groupware application. It is mainly design for companies for the employees to share information easily via taking advantage of Outlook server such that the companys calendar and contact lists are always in sync. Minimum requirement for the exchange server is as follows: 64-Bit processor, 512GB RAM, 64GB disk space and an ethernet adapter. [2] Microsoft. (2017).Setup Procedure:Install Windows Server.Insert the DVD installer for MS Exchange and use command prompt and enter the following commands:d:, dir, cd exch Figure 2.1 CMD installation of exchange serverInside the drive D (installer disk) type in the following commands:setup /prepareschemasetup /prepareAD /OrganizationName:Avonmoresetup /PrepareAllDomainsOpen PowerShell and type in the command below:Import-Module ServerManagerAdd-WindowsFeature NET-Framework,RSAT-ADDS,Web-Server,Web-Basic-Auth,Web-Windows-Auth,Web-Metabase,Web-Net-Ext,Web-Lgcy-Mgmt-Console,WAS-Process-Model,RSAT-Web-Server,Web-ISAPI-Ext,Web-Digest-Auth,Web-Dyn-Compression,NET-HTTP-Activation,Web-Asp-Net,Web-Client-Auth,Web-Dir-Browsing,Web-Http-Errors,Web-Http-Logging,Web-Http-Redirect,Web-Http-Tracing,Web-ISAPI-Filter,Web-Request-Monitor,Web-Static-Content,Web-WMI,RPC-Over-HTTP-Proxy RestartSet-Service NetTcpPortSharing StartupType AutomaticInstall the office filter pack found inside the cd installer.Install exchange server 2010Figure 2.2 Installation of exchange serverIn the Exchange server 2010 setup, click next.Figure 2.3 IntroductionIn the installation type, select the typical exchange server installation.Figure 2.4 Installation typeIn the exchange organization, type your desired name.Figure 2.5 Exchange OrganizationIn the client setting selectNo.Figure 2.6 Client SettingType your desired name for your client access.Figure 2.7 Configure Client Access Server external domainSelect the I dont wish to join the program at this timeFigure 2.8 Customer Experience Improvement Program In the readiness checks, review all the selected mode before installation.Figure 2.9 Readiness ChecksUpon completion, click finish.Figure 2.10 CompletionConfiguring Mailbox RolesIn this setup, we are going to configure the Exchange server to perform multiple in order for our users to send and receive emails. We need to include the following: (1) Hub transport responsible for routing messages (2) Client Access offers all available protocol access to mailboxes (3) Mailbox this contains the mailboxes and public folders. We need these three roles for the Exchange Management Console to make the necessary changes.Open Exchange Management Console and choose Organization Configuration on the left pane. Select your server and click New Mailbox Database on the right.Figure 2.11 Exchange Management ConsoleFollow the onscreen instruction on setting the location for the database and click on Finish once done.Figure 2.12 New Mailbox DatabaseSending and receiving emails via web browser:To access the web mail, we simply go type in the URL of the server and add /owa on the address.Figure 2.13 Outlook Web AppUpon successful login the user will be presented by an Outlook Web App and he can then start sending and receiving emails.Figure 2.14 Email TestTask 3 Barracuda Spam FilterBarracuda Spam Filter is an integrated software and hardware solution to protect the email server from virus, spam, spoofing and spyware attacks. [3] Barracuda. (2017).These are the steps for the users on how to setup:Login to Barracuda Spam Filter as administrator and add the IP configuration, DNS, and domain name of the email server admincore.comFigure 3.1 Basic Set up for Email SecurityFigure 3.2 Email server SetupFigure 3.3 Virus and Spam protectionSetup the quarantine procedure for emails that contain spam and viruses.Figure 3.4 All inbound setting for email protectionUpdates allows the spam filter system to determine incomming spam threatsFigure 3.5 Updates for barracuda Part 1Figure 3.6 Updates for barracuda Part 2The Domain tab will allow to add allow or block domain.Figure 3.7 Domain managerSpam Scoring Limit will limit the block, quarantined and tag mails.Figure 3.8 Inbound and outbound Spam scoring limitsThe Rate Control will allow the administrators to set connections per IP address allowed.Figure 3.9 Rate ControlSender Filters will filter all mails incoming to the mail server.Figure 3.10 Incoming email filtersTask 4 Microsoft Office OutlookMicrosoft Office Outlook is an information manager for Microsoft. It includes email application, calendar, contacts list, notepad, journal and also web browsing. It can be used with exchange server, SharePoint server or a stand-alone program. It is commonly used as the email server for all companies worldwide as it is easy to use and has a lot of function. [4] Rouse. (2012).Steps on how to manage MS Outlook:In the start button of the windows server select the Microsoft Outlook 2010.Figure 4.1 Microsoft Outlook 2010In the control panel, look for the Mail setup OutlookFigure 4.2 Mail Setup OutlookSelectin the account settings for the emailFigure 4.3 Account settings for OutlookThen add new account, select manually configure server settings.Figure 4.4 Add new Account dialog boxSelect the Internet E-mail in the add new account settings.Figure 4.5 Add new Account dialog boxType the desired user information, server information and logon information, the click next.Figure 4.6 User, server and logon information for the New accountType this URL https://help.yahoo.com/kb/SLN4724.htmlThis information is important to setup the email for the outlookFigure 4.7 Yahoo mail POP settingAfter setting up the new account. Click next.Figure 4.8 Add new account informationType your desired email address in the internet E-mail settingsFigure 4.9 internet E-mail settingsIn the outgoing server, select the same settings as my incoming mail server.Figure 4.10 Internet e-mail setting for the outgoing serverGo to the advanced setting then copy the information from the POP yahoo mail setting.Figure 4.11 Advanced setting for the e-mailBe sure to test the account settings to verify the email services.Figure 4.12 test account settingsAs you could see all the emails are in the e-mail list accounts.Figure 4.13 email settingsIn the data files, we could see the location of the email.Figure 4.14 data files of the emailOfficial dashboard for the outlook which contains all email in one program.Figure 4.15 Microsoft OutlookClick in the New email to test the email server/Figure 4.16 pop up window for the emailEmail setup for the bryanldavid@yahoo.com which includes all information.Figure 4.17 Microsoft outlookTesting client to client emailFigure 4.18 email testThe test is currently progressing since the email will be sent to the client.Figure 4.19 MS outlook dashboardMicrosoft outlook test message in the Yahoo mail website.4.20 Yahoo mailTest email for the client to client email serverFigure 4.21 client to client email serverTask 5 Site-to-site VPNUsing VPN for the router in CISCO network provides more secured connection of transmitting data over public network. It can reduce the overpriced costs of leased lines. For the site-to-site VPNs it will provide a tunnel using IPsec between two branches of offices. Another use of site to site VPN is the remote access for the client and server for small offices.Site to site VPN topology DeviceInterfaceIP AddressSubnet MaskDefault GatewaySwitch PortR1FA 0/1192.168.1.1255.255.255.0N/ASW1 FA0/1S0/0/0 (DCE)10.1.1.1255.255.255.252N/AN/AR2S0/0/010.1.1.2255.255.255.252N/AN/AS0/0/1 (DCE)10.2.2.2255.255.255.252N/AN/AR3FA0/0192.168.3.1255.255.255.0N/ASW2 FA0/1S0/0/110.2.2.1255.255.255.252N/AN/APC-ANIC192.168.1.3255.255.255.0192.168.1.1SW1 FA0/2PC-BNIC192.168.3.3255.255.255.0192.168.3.1SW2 FA0/2Router 1 Configurationhostname R1!cryptoisakmp policy 10encraes 256authentication pre-sharegroup 5lifetime 3600!cryptoisakmp key cisco123 address 10.2.2.1!cryptoipsec security-association lifetime seconds 1800!cryptoipsec transform-set 50 esp-aes 256 esp-sha-hmac!crypto map CMAP 10 ipsec-isakmpset peer 10.2.2.1setpfs group5set security-association lifetime seconds 900set transform-set 50match address 101!interface FastEthernet0/0ip address 192.168.1.1 255.255.255.0duplex autospeed auto!interface Serial0/0/0ip address 10.1.1.1 255.255.255.252clock rate 64000crypto map CMAP!routereigrp 100network 192.168.1.0network 10.1.1.0 0.0.0.3no auto-summary!access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255!line con 0exec-timeout 5 0password 7 0822455D0A165445415F59logging synchronouslogin!linevty 0 4exec-timeout 5 0password 7 0822455D0A165445415F59login!endRouter 2hostname R2!interface Serial0/0/0ip address 10.1.1.2 255.255.255.252!interface Serial0/0/1ip address 10.2.2.2 255.255.255.252clock rate 64000!routereigrp 100network 10.1.1.0 0.0.0.3network 10.2.2.0 0.0.0.3no auto-summary!endRouter 3hostname R3!cryptoisakmp policy 10encraes 256authentication pre-sharegroup 5lifetime 3600!cryptoisakmp key cisco123 address 10.1.1.1!cryptoipsec security-association lifetime seconds 1800!cryptoipsec transform-set 50 esp-aes 256 esp-sha-hmac!crypto map CMAP 10 ipsec-isakmpset peer 10.1.1.1setpfs group5set security-association lifetime seconds 900set transform-set 50match address 101!interface FastEthernet0/0ip address 192.168.3.1 255.255.255.0duplex autospeed auto!interface Serial0/0/1ip address 10.2.2.1 255.255.255.252crypto map CMAP!routereigrp 100network 10.2.2.0 0.0.0.3network 192.168.3.0no auto-summary!access-list 101 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255!line con 0exec-timeout 5 0password 7 0822455D0A165445415F59logging synchronouslogin!linevty 0 4exec-timeout 5 0password 7 0822455D0A165445415F59login!EndCheck:Router 1 As you could see in the CLI of the R1 all the connection of the inbound and outbound is ACTIVERouter 3As you could see in the CLI of the R3 all the connection of the inbound and outbound is ACTIVETask 6 Radius Server AAA For basic authentication, AAA or the Authentication, authorization and accounting can be configured to access the local database for client logins. It will be difficult since it must be configured in every router. To take full advantage of the AAA, radius server AAA will be used. When the client attempts to login in the router, the router will show the router references to the external server database for verification that the client is using a valid username and password.Topology for the radius Server AAA DeviceInterfaceIP AddressSubnet MaskDefault GatewaySwitch PortR1FA0/1192.168.1.1255.255.255.0N/AS1 FA0/5 S0/0/0 (DCE)10.1.1.1255.255.255.252N/AN/AR2S0/0/010.1.1.2255.255.255.252N/AN/A S0/0/1 (DCE)10.2.2.2255.255.255.252N/AN/AR3FA0/1192.168.3.1255.255.255.0N/AS3 FA0/5 S0/0/110.2.2.1255.255.255.252N/AN/APC-ANIC192.168.1.3255.255.255.0192.168.1.1S1 FA0/6PC-CNIC192.168.3.3255.255.255.0192.168.3.1S3 FA0/18 For the Radius server AAA, you can simply configure the users and keys from host that will use for authentication.Router Configuration Router 1hostname R1!enable secret 5 $1$mERr$WvpW0n5HghRrqnrwXCUUl.!aaa new-model!aaa authentication login default group radius none!no ip cefno ipv6 cef!no ip domain-lookup!spanning-tree mode pvst!interface FastEthernet0/0ip address 192.168.1.1 255.255.255.0duplex autospeed auto!interface Serial0/0/0ip address 10.1.1.1 255.255.255.252clock rate 64000!router eigrp 100network 192.168.1.0network 10.1.1.0 0.0.0.3no auto-summary!ip classless!ip flow-export version 9!radius-server host 192.168.1.3 auth-port 1645 key ciscoaaapass!line con 0exec-timeout 5 0password 7 0822455D0A165445415F59logging synchronous!line vty 0 4exec-timeout 5 0password 7 0822455D0A165445415F59!end Verification In the running configuration, the router will connect to the radius server for verification in the login console oof the router. Using telnet, the client computer could connect to the router using RADIUS authentication. Task 7 TACACS + Server AAATACACS or the Terminal Access Controller Access-Control System Plus is a protocol from CISCO systems and was released I 1993. TACACS+ dont implements transmission control. Compared to the Radius, which encrypts only the users password as it travels from one client to another client. All other information in Radius will be able to see so it is vulnerable compared to TACACS+. In TACACS+, it encrypts all information including all other information traveling in the network.Topology for the TACACS+ server AAA TACACS+ configuration hostname R2!enable secret 5 $1$mERr$WvpW0n5HghRrqnrwXCUUl.!Username bryan secret 5 $1$mERr$WvpW0n5HghRrqnrwXCUUl.!interface Serial0/0/0ip address 10.1.1.2 255.255.255.252!interface Serial0/0/1ip address 10.2.2.2 255.255.255.252clock rate 64000!router eigrp 100network 10.1.1.0 0.0.0.3network 10.2.2.0 0.0.0.3no auto-summary!tacacs-server host 192.168.1.3 key tacacspass!login local!line aux 0!line vty 0 4!endVerification:This router will use TACACS+ on server 192.168.1.3 and the information inputed on the username and password will be verified.Task 8 Vulnerability Assessment using GFI LanguardGFI Languard is used for scanning network security and patching management solution. It provides a complete platform of your network setup, risk analysis and maintains a secure and compliant network. This process includes scanning the network to discover all your devices connected in the network including mobile devices and search for security issues. All devices can be managed either by performing remotely with agent or none. For a remote agentless scan, specify first your target devices scanning profile that indicates what to look for, enter proper authorizations. [5] GFI. (n.d.).Steps on how to setup and use GFI Languard:1. Alerting Options of GFI Languard can be found by logging to the console.Figure 8.1 Alerting option configurationSetup an email address where the alert will be coming from and also specify a recipient.Figure 8.2 General setup for email addressesNext is the vulnerability assessment settings. It will provide an option which profile will be scanned and activate high security vulnerabilities.Figure 8.3 Profile options for vulnerability assessmentThe profiles selected can be edited so that administrators can add and remove different items that would be included or excluded on the scan.Figure 8.4 Vulnerabilities profilesNetwork and software auditing for the administrator based on the profile chosen.Figure 8.5 Each profile can be further customized to best fit the requirement of the organization.Figure 8.6 Scanning options for network and software auditScheduling a scan for GFI Languard makes vulnerability scanning an easy for administrators. It offers a Scheduled Scan option to perform scan at specific date and time.Figure 8.7 Performing scheduled scanFigure 8.8 Type of scan desiredFigure 8.9 specific day and time to avoid affecting users productivityFigure 8.10 Successful scheduled scanTask 9 NVD National Vulnerability DatabaseNVD is the U.S. government source of standards from NIST National Institute of Standards and Technology based on vulnerability management data characterized using the Security Content Automation Protocol (SCAP). The data from NVD enables automation of security administration, vulnerability dimension, and acquiescence. NVD includes database of checklists in security and software flaws, malfunctions, merchandise names, and impact metrics. [6] NVD. (2017, October).Here are 5 vulnerabilities that are listed on the website:1. CVE-2017-16543 DetailIt is for Zoho ManageEngine Applications Manager 13 that permits SQL injection via GraphicalView.do using crafted viewProps yCanvas field.Source:MITRELast Modified:11/05/2017US-CERT/NISTOriginal release date:11/05/2017CVE-2017-16545 DetailIt is the ReadWPGImage purpose in coders/wpg.c in GraphicsMagick 1.3.26 malfunction to validate colormapped images and allows remote attackers to have a DoS or probably have unnamed other causes via malformed image.Source:MITRELast Modified:11/05/2017US-CERT/NISTOriginal release date:11/05/2017CVE-2017-16546 DetailIt is the ReadWPGImage purpose in coders/wpg.c in ImageMagick 7.0.7-9 malfuntion to validate the colormap index in a WPG palette and allows remote attackers to cause DoS or probably have unnamed other causes via malformed file.Source:MITRELast Modified:11/05/2017US-CERT/NISTOriginal release date:11/05/2017CVE-2017-16547 DetailIt is the DrawImage purpose in magick/render.c in GraphicsMagick 1.3.26 malfuntion to look for popup keywords that are liked with push keywords and allows remote attackers to cause a DoS or perhaps have unnamed causes via a crafted file.Source:MITRELast Modified:11/06/2017US-CERT/NISTOriginal release date:11/06/2017CVE-2017-16548 DetailIt is a receive_xattr function in xattrs.c for rsync 3.1.2 and 3.1.3-development that didnt verify a trailing with character in an xattr code and allows remote attackers to cause DoS attack or perhaps have unspecified other causes by sending constructed data to the daemon server.Source:MITRELast Modified:11/06/2017US-CERT/NISTOriginal release date:11/06/2017Task 10 CISCO Intrusion Prevention ConfigurationThe CISCO Intrusion Prevention System or the IPS are used to alert attack patterns when security breach occurs. IPS together with the router with a secured internet firewall, it can be powerful defence mechanism for the network.Topology for CISCO Intrusion Prevention ConfigurationDeviceInterfaceIP AddressSubnet MaskDefault GatewayR1Fa0/1192.168.1.1255.255.255.0N/AS0/0/010.1.1.1255.255.255.252N/AR2S0/0/010.1.1.2255.255.255.252N/AS0/0/110.2.2.2255.255.255.252N/AR3Fa0/1192.168.3.1255.255.255.0N/AS0/0/110.2.2.1255.255.255.252N/APC-ANIC192.168.1.3255.255.255.0192.168.1.1PC-CNIC192.168.3.3255.255.255.0192.168.3.1Router 1 Configurationhostname R1!enable secret 5 $1$mERr$oM/JyxYqfgpr/DlQ0ZM/h.!no ip cefno ipv6 cef!no ip domain-lookup!spanning-tree mode pvst!ip ips config location flash:ipsdir retries 1ip ips name iosipsip ips signature-categorycategory allretired truecategory ios_ips basicretired false!interface FastEthernet0/0ip address 192.168.1.1 255.255.255.0ip ips iosips outduplex autospeed auto!interface Serial0/0/0ip address 10.1.1.1 255.255.255.0!router eigrp 10network 192.168.1.0network 10.0.0.0auto-summary!logging 192.168.1.50line con 0exec-timeout 0 0password conpasslogging synchronouslogin!line aux 0exec-timeout 0 0password auxpasslogin!line vty 0 4exec-timeout 0 0password vtypasslogin!EndVerify settingsThe command show ip ips all will display an IPS configuration status summaryPC-C to PC-A: The pings should fail. This is because the IPS rule for event-action of an echo request was set to deny-packet-inlinePC-A to PC-C: The ping should be successful. This is because the IPS rule does not cover echo reply. When PC-A pings PC-C, PC-C responds with an echo replyTask 11 CISCO Context Based Access FirewallThe CISCO Context-Based Access Control or the CBAC is used to make a CISCO IOS firewall. In this task, we will create a basic CBAC configuration on the 3rd router in which it will provide access to the server outside of the network. After it is configured, verification of the firewall from internal and external hosts.Topology for CISCO Context Based Access FirewallDeviceInterfaceIP AddressSubnet MaskDefault GatewayR1Fa0/1192.168.1.1255.255.255.0N/AS0/0/010.1.1.1255.255.255.252N/AR2S0/0/010.1.1.2255.255.255.252N/AS0/0/110.2.2.2255.255.255.252N/AR3Fa0/1192.168.3.1255.255.255.0N/AS0/0/110.2.2.1255.255.255.252N/APC-ANIC192.168.1.3255.255.255.0192.168.1.1PC-CNIC192.168.3.3255.255.255.0192.168.3.1Router 3 Configurationhostname R3!no ip cefno ipv6 cef!no ip domain-lookup!ip inspect name IR icmp audit-trail on timeout 3600ip inspect name IR telnet audit-trail on timeout 3600ip inspect name IR http audit-trail on timeout 3600spanning-tree mode pvst!interface FastEthernet0/0ip address 192.168.3.1 255.255.255.0duplex autospeed auto!interface Serial0/0/1ip address 10.2.2.1 255.255.255.252ip access-group ACL inip inspect IR out!ip classlessip route 192.168.3.0 255.255.255.0 10.2.2.2ip route 10.2.2.0 255.255.255.252 10.2.2.2ip route 10.1.1.0 255.255.255.252 10.2.2.2ip route 192.168.1.0 255.255.255.252 10.2.2.2!ip flow-export version 9!ip access-list extended ACLdeny ip any any!logging 192.168.1.3line con 0!line aux 0!line vty 0 4login!EndVerify Firewall FunctionalityOpen a Telnet session from PC-C to R2 and while the session is active, run: m show ip inspect sessionsPC-C to PC-A would allow a ping but will refuse a telnet session.PC-A to PC-C would block all traffic.Syslog of PC-A logs all attemptsTask 12 CISCO Zone Based firewallThe CISCO Zone-based firewall is a new configuration model of CISCO policies for multi0interface routers. It also increases the firewall protection application and has a default auto deny all policy that hinders the traffic between firewall security zones unless the user access has been granted to allow desirable traffic to a network.DeviceInterfaceIP AddressSubnet MaskDefault GatewayR1Fa0/1192.168.1.1255.255.255.0N/AS0/0/010.1.1.1255.255.255.252N/AR2S0/0/010.1.1.2255.255.255.252N/AS0/0/110.2.2.2255.255.255.252N/AR3Fa0/1192.168.3.1255.255.255.0N/AS0/0/110.2.2.1255.255.255.252N/APC-ANIC192.168.1.3255.255.255.0192.168.1.1PC-CNIC192.168.3.3255.255.255.0192.168.3.1Router 3 Configurationhostname R3!enable secret 5 $1$mERr$TfFTxE.mmb5O5BVC56ndL0!spanning-tree mode pvst!class-map type inspect match-all INclassMAPmatch access-group 101!policy-map type inspect POLICYmapclass type inspect INclassMAPinspect!zone security INzonezone security OUTzonezone-pair security ZONEpair source INzone destination OUTzoneservice-policy type inspect POLICYmap!interface FastEthernet0/1ip address 192.168.3.1 255.255.255.0zone-member security INzoneduplex autospeed auto!interface Serial0/0/1ip address 10.2.2.1 255.255.255.252zone-member security OUTzone!ip classlessip route 10.2.2.0 255.255.255.252 10.2.2.2ip route 10.1.1.0 255.255.255.252 10.2.2.2ip route 192.168.1.0 255.255.255.0 10.2.2.2!access-list 101 permit ip 192.168.3.0 0.0.0.255 any!line con 0exec-timeout 0 0password ciscoconpa55logging synchronouslogin!line aux 0!line vty 0 4exec-timeout 0 0password ciscovtypa55login!EndTest Firewall Functionality: from INSIDE zone to OUTSIDE zonePing from PC-C to PC-ATelnet session from PC-C to R2Issuing command on Router 3: show policy-map type inspect zone-pair sessionsTest Firewall Functionality: from OUTSIDE zone to INSIDE zoneFrom the PC-A server command prompt, ping PC-C.From router R2, ping PC-C.Task 13 Fortinet Unified Threat ManagementFortinet Unified threat management is a tool for security management which is used by an administrator for monitoring and managing all security-related applications and components in infrastructure in one graphic user interface console. [7] Fortinet. (2017, October 12).Steps on how to configure Fortinet IPS:Intrusion Protection can be configured by choosing security profiles and clicking on Intrusion Protection.Figure 13.1 Administrator can choose which signature would the allow or denyData leak prevention is another way to filter out security threats which has a sensor based scanner for an administrator to specify messages in an incoming information.Figure 13.2 Data leak prevention in security profilesVPN Tunnels are used to set up VPN connectionFigure 13.3 VPN tunnels configurationFigure 13.4 VPN tunnel authenticationTask 14 Cyberoam Unified Threat ManagementCyberoam Unified Threat Management caters intense security to businesses from small to large companies. It has a layer 8 identity-based platform with multiple security features. It uses extensible Security Architecture or ESA to eliminate all kinds of security threats. [8] Sophos. (2017).Minimum System Requirements:PC with virtual machine(Hyper-V)1GB vRAM2 Virtual Network Interfaces (vNIC)Primary Disk with 6GB sizeAuxiliary Disk with 100GB size1 Serial Port1 USB PortSteps on how to configure Cyberoam UTM:Download the Cyberoam installer from the websiteFigure 14.1 website of Cyberoam UTMInstall Cyberoam Firewall on a virtual machine and be sure that the minimum system requirements are met.Figure 14.2 login dialog box of CyberoamRun the virtual machine.Figure 14.3 Running virtual machine(Hyper-V)On another virtual machine on the same computer (connected via VLAN), open Internet Explorer and go to http://172.16.16.16. Use admin as username and password.Figure 14.4 login page using the designated URLAfter logging in, the dashboard would show up displaying the status of the firewall.Figure 14.5 Dashboard of Cyberoam UTMSecuring Cyberoam firewall enables user to configure appliance access thru a w
