SEC321___Week_6___Network_Security___Firewalls.pdf.pdf

4/24/2020 Print content
https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx 1/60
SEC-321 Network Security Testing
Week 6 - Network Security - Firewalls
Introduction
Configuring NAT Firewall
Configuring Port Forwarding
Summary
Introduction
The Network Security – Firewalls module provides you with the instruction and computer hardware to develop
your hands on skills in the defined topics. This module includes the following exercises:
1) Configuring NAT Firewall
2) Configuring Port Forwarding
Lab Diagram
During your session you will have access to the following lab configuration.

Connecting to your lab
In this module you will be working on the following equipment to carry out the steps defined in each exercise.
SERVER (Domain Controller)
CLIENT (Workstation)
GATEWAY (Server)
ROUTER
LAMP (Web Server)
Each exercise will detail which console you are required to work on to carry out the steps.

To start simply click on the named Server or Workstation from the device list (located on the left hand side of the
screen) and click the Power on from the in tools bar. In some cases the devices may power on automatically.
During the boot up process an activity indicator will be displayed in the name tab:
Black - Powered Off
Blue - Working on your request
Green - Ready to access
If the remote console is not displayed automatically in the main window (or popup) click the Connect icon located in
the tools bar to start your session.
If the remote console does not appear please try the following option:
Switch between the HTML 5 and Java client versions in the tools bar.
In the event this does not resolve your connectivity problems please visit our Help / Support pages for additional
resolution options.
Copyright Notice
This document and its content is copyright of Practice-IT - © Practice-IT 2015. All rights reserved. Any redistribution
or reproduction of part or all of the contents in any form is prohibited other than the following:
1) You may print or download to a local hard disk extracts for your personal and non-commercial use only.
2) You may copy the content to individual third parties for their personal use, but only if you acknowledge the website
as the source of the material. You may not, except with our express written permission, distribute or commercially
exploit the content. Nor may you transmit it or store it in any other website or other form of electronic retrieval
system.

Exercise 1 - Configuring NAT Firewall
In this exercise, you will configure a device so that it performs Network Address Translation for an internal client to an
external destination.
Please refer to your course material or use your preferred search engine to research this topic in more detail.
Task 1: Install and Configure Routing and Remote Access
Step 1
Ensure you have powered on the required devices defined in the introduction. Connect to GATEWAY device.
Right-click on Roles and choose Add Roles.

Step 2
In Before you begin page, click Next.

Step 3
In Select Role Services, select Network Policy and Access Services. Click Next.

Step 4
In Network Policy and Access Services Introduction, click Next.

Step 5
In Select Role Services, click Routing and Remote Access Services.
Click Next.

Step 6
In Confirm Installation Selections click Install.

Step 7
In Installation Results, click Close.

Step 8
In Server Manager, expand:
Roles > Network Policy and Access > Routing and Remote Access
Right click on Routing and Remote Access and select Configure and Enable Routing and Remote Access.

Step 9
This will launch the RRAS Setup Wizard. Click Next.

Step 10
Select the Custom Configuration option. Click Next.

Step 11
Select NAT from the available options. Click Next.

Step 12
Finish the installation and click Start the service.

Step 13
Expand Routing and Remote Access.
Expand IPv4 > General

Step 14
Right-click NAT and select New Interface…

Step 15
Select Internal and click OK.

Step 16
In the configuration dialog, click OK.

Step 17
Right-click again on NAT and select New Interface…

Step 18
Select again Internal and click OK.

Step 19
In Network Address Translation, accept the default setting and click OK.

Step 20
Right-click again on NAT and choose New Interface…

Step 21
Select Internet and click OK.

Step 22
In the configuration dialog, select Public interface and check the Enable NAT on the interface box.
Click OK.
Minimize Server Manager.

Step 23
Using Putty located on the desktop launch a new SSH connection to the LAMP server. Double click the LAMP entry.

Step 24
Use the following user credentials:
Login as: administrator
Password: Pa$$w0rd

Step 25
Run the following:
netstat --tcp –c

Minimize Putty window.
Step 26
Connect to the CLIENT workstation and open a command prompt then type the following command:

C:>route add 192.168.1.1 192.168.0.3
Press Enter. Minimize command prompt.
Step 27

Click Start, right-click Internet Explorer then choose Internet Properties.
Step 28
From Internet Properties, click on the Connections tab, at the bottom you should see a button called LAN
Settings.

Step 29
Then clear the “Use proxy server for your LAN” check box. Click OK twice.

Step 30
Launch Internet Explorer. Click Ask me later in the Welcome to Internet Explorer screen.
Use the following url in the address bar http://192.168.1.1
You should see the DVWA site. Minimize Internet Explorer.

Step 31
Switch back to GATEWAY device. Restore putty window to LAMP.
When you see a record in the netstat output, press Ctrl+C to halt (if necessary, you can scroll up or down using
Shift+PgUp and Shift+PgDown).
Note the foreign address. The IP address is that of GATEWAY Internet interface (10.0.0.2) and the port is
approximately somewhere in the 60K range.

Minimize putty window.
Step 32
Reopen Server Manager. Go to Roles > Network Policy and Access Services > Routing and Remote Access >
IPv4. Click on NAT.
Find the Inbound packets translated (Internet) count has increased in the NAT details. Press F5 to refresh the
statistics.

This type of NAT is more properly described as "Port Address Translation" or "Network Address Port Translation"
because each local address is mapped to a single public IP address using ephemeral TCP ports. If you had lots of client
machines on your network they could all connect using the one router machine. It is also possible to set up 1:1 NAT or
dynamic NAT using the RRAS tool however.
Leave all devices powered on in their current state and proceed to the next exercise.

Exercise 2 - Configuring Port Forwarding
In this exercise, you will set up NAT to configure port forwarding.
Please refer to your course material or use your preferred search engine to research this topic in more detail.
Task 1: Setting up Port Forwarding
Step 1
Connect to SERVER device and open Server Manager, select Features, then click the Add Features link.

Step 2
Scroll down the list and check Telnet Server and click Next.

Step 3
In Confirm Installation Selections page, click Install.

Step 4
When installation is complete, click Close.

Step 5
In Server Manager, expand Configuration then select Services.
Locate Telnet service then right-click on it and select Properties.

Step 6
Change the Startup Type to Manual.
Click OK.

Step 7
Right-click the Telnet service again and select Start.

Step 8
Switch to CLIENT workstation and restore the command prompt window.
Type the following command:
telnet SERVER

Press Enter.
Step 9
Confirm that you can connect to the Telnet server (This may take several seconds).

Step 10
Switch to SERVER device, run from a command prompt:
netstat -p tcp

Note that CLIENT (192.168.0.11:port number) is connected on SERVER’s (192.168.0.1) interface using TCP
port 23.
Minimize Command prompt window.
Step 11
Switch to GATEWAY device.

Restore the LAMP SSH console. Then run telnet 10.0.0.1
It should fail to connect. Minimize Putty window.
Step 12
Reopen Server Manager, expand
Roles > Network Policy and Access > Routing and Remote Access > IPv4 > NAT

Step 13
Right-click the Internet interface and select Properties.

Step 14
Select the Services and Ports tab.

Step 15
Check the Telnet Server box.
In the dialog, enter 192.168.0.1 as the private address and click OK.

Step 16
Back in Internet Properties, ensure that Telnet Server check box is selected. Click OK.

Step 17
Open a command prompt and type:
route add 192.168.1.1 192.168.0.3

Press Enter.
Step 18
Verify the new route that was added by typing:
route print

Press Enter. Find the new route that was added in the previous step.
Step 19
Go back to the SSH console of LAMP and run:

telnet 10.0.0.1
Note: If Putty hangs after adding the new route in Step 18, re-launch Putty from desktop. Sign back in using
credentials administrator and password is Pa$$w0rd
Telnet will not succeed in this connection attempt. Minimize putty window.

Step 20
Go back to Routing and Remote Access. In the NAT folder, right-click the Internet interface and select Show
Mappings.
Note: You may need to press F5 to refresh the settings.
If the Show mappings display zero value, go back to CLIENT device and refresh the DVWA web page by pressing
F5, then retry this Step 20.

Step 21
Note the mapping for port number for remote address 192.168.1.1 (LAMP).
Step 22
Switch to SERVER, from the command prompt run:

netstat -p tcp
Note the foreign address is not being changed by port forwarding.
Shutdown all virtual machines used in this lab, by using the power functions located in the Tools bar before
proceeding to the next module.

Alternatively you can log out of the lab platform.
Summary
In this module you completed the following tasks:
Configured and tested NAT
Configured and tested Port Forwarding

SEC321___Week_6___Network_Security___Firewalls.pdf.pdf

Recommended

Recommended

More Related Content

Similar to SEC321___Week_6___Network_Security___Firewalls.pdf.pdf

Similar to SEC321___Week_6___Network_Security___Firewalls.pdf.pdf (20)

Recently uploaded

Recently uploaded (20)

SEC321___Week_6___Network_Security___Firewalls.pdf.pdf