program代写、代做Java程序设计

日期：2023-10-29 10:55

Assignment 2: Network Configuration and Security

Goals

The purpose of this assignment is to:

1. Demonstrate an understanding of network topology setup and firewall configurations.

2. Test network security by conducting vulnerability assessments.

3. Implement and verify access control rules and Deep Packet Inspection (DPI) measures.

Software Needed:

1. GNS3 Software

2. GNS3 VM for VMware Workstation and Fusion

3. VMware Workstation Player for Windows OR VMware Fusion Player for MAC (For MAC

users, please create an account on VMware's website to start the application trial.)

4. Kali Linux Live Images

5. Request access for the images here

Topology, Steps, and Configurations:

1. Set the IP address for the loopback interface on your machine to 192.168.10.11 with a

subnet mask of 255.255.255.0.

2. In GNS3, create a new project and connect the network topology as shown. Note that all

appliances should run on the GNS3 VM except for the cloud, which should be connected

to the management interface, it has to run on the GNS3 local server.

3. Start the Cisco ASAv and wait until it is fully loaded. Enter the following commands into

the ASA CLI (Console):

ciscoasa> enable

Password: ciscocisco1

Retype password: ciscocisco1

ciscoasa# conf t

ciscoasa (config)# interface Management0/0

ciscoasa (config-if)# management-only

ciscoasa (config-if)# nameif management

ciscoasa (config-if)# security-level 0

ciscoasa (config-if)# ip address 192.168.10.10 255.255.255.0

ciscoasa (config-if)# no shutdown

ciscoasa (config-if)# asdm image boot:/asdm-7181152.bin

ciscoasa (config)# aaa authentication http console LOCAL

ciscoasa (config)# username cisco password ciscocisco privilege 15

ciscoasa (config)# http server enable

ciscoasa (config)# http 192.168.10.11 255.255.255.255 management

ciscoasa (config)# write

4. Download and install Java (search google for Java download).

5. Ensure connectivity from your local machine to the FW management IP by issuing the

command ping 192.168.10.10 in a Windows command prompt (cmd). If successful,

proceed to the next step; if not, check your loopback interface and GNS3 topology

connections.

6. Open a web browser and connect to the FW management IP using the URL

https://192.168.10.10/admin/public/index.html. Click "Install ASDM Launcher" and

follow the prompts for a successful installation.

7. On your local machine, open the “ASDM-IDM Launcher” application, enter the IP

address of the FW management interface, and the username and password you created

earlier as follows:

8. If successful, you will access the FW dashboard.

9. Return to the FW CLI interface (FW Console) and enter the following commands:

ciscoasa> enable

Password: ciscocisco1

ciscoasa# conf t

ciscoasa (config)# interface GigabitEthernet0/0

ciscoasa (config-if)# nameif inside

ciscoasa (config-if)# security-level 100

ciscoasa (config-if)# ip address 10.10.10.1 255.255.255.0

ciscoasa (config-if)# no shutdown

ciscoasa (config-if)# interface GigabitEthernet0/1

ciscoasa (config-if)# nameif outside

ciscoasa (config-if)# security-level 0

ciscoasa (config-if)# ip address dhcp setroute

ciscoasa (config-if)# no shutdown

ciscoasa (config-if)# interface GigabitEthernet0/2

ciscoasa (config-if)# nameif DMZ

ciscoasa (config-if)# security-level 50

ciscoasa (config-if)# ip address 172.16.1.1 255.255.255.0

ciscoasa (config-if)# no shutdown

ciscoasa (config-if)# write

ciscoasa (config-if)# show route

10. Ensure that the output of the last command matches the expected route information.

S* 0.0.0.0 0.0.0.0 [1/0] via 192.168.122.1, outside

C 10.10.10.0 255.255.255.0 is directly connected, inside

L 10.10.10.1 255.255.255.255 is directly connected, inside

C 172.16.1.0 255.255.255.0 is directly connected, DMZ

L 172.16.1.1 255.255.255.255 is directly connected, DMZ

C 192.168.122.0 255.255.255.0 is directly connected, outside

L 192.168.122.x 255.255.255.255 is directly connected, outside

11. Configure the IP addresses for the Inside-Host, DMZ-Host, and Kali Linux as follows

(replace 'x' with your assigned number in the bonus sheet):

● Inside-Host: IP address: 10.10.10.x, subnet mask: 255.255.255.0, default GW:

10.10.10.1

● DMZ-Host: IP address: 172.16.1.x, subnet mask: 255.255.255.0, default GW:

172.16.1.1

● Kali Linux: Leave the automatic DHCP setting as it is and check if it has obtained

an IP from the 192.168.122.0/24 range using the ifconfig command.

12. Check connectivity from each host to its corresponding interface using the Ping tool.

13. On the ASAv CLI, configure the following static NATting one-to-one rules (replace

'Inside-Host-IP' and 'DMZ-Host-IP' with the respective IPs):

ciscoasa> enable

Password: ciscocisco1

ciscoasa# conf t

ciscoasa (config)# nat (inside,outside) source static Inside-Host-IP 192.168.122.250

ciscoasa (config)# nat (DMZ,outside) source static DMZ-Host-IP 192.168.122.249

ciscoasa (config)# write

14. Your topology is now up and running. Proceed to the assignment tasks.

Assignment Tasks:

1. Demonstrate that the Inside-Host and DMZ-Host can access the internet without any

access rules configured.

2. Prove that the Kali Linux machine cannot access any port on either the Inside-Host or

DMZ-Host.

3. Configure an access rule that allows the Kali Linux machine to access the SMB ports

(port 445 and port 135) on the DMZ-Host.

4. Demonstrate that the Kali Linux machine can now access the SMB ports on the

DMZ-Host.

5. Use the Metasploit framework on the Kali Linux machine to show that the DMZ-Host is

vulnerable to the MS17-010 vulnerability.

6. Exploit the MS17-010 vulnerability on the DMZ-Host using the default Meterpreter

payload (reverse TCP) from the Kali Linux machine.

7. Show that upon successful exploitation, the DMZ-Host has initiated a connection to the

Kali Linux machine. Explain why this connection is successful even though no access rule

is configured to allow it.

8. Use the DPI capabilities of Cisco ASA to configure the following rules:

● Allow ICMP traffic across the FW.

● Filter DNS Type Field “A”.

● Filter the HTTP “get” command.

9. Provide evidence that each of the above DPI rules is working correctly.

Please follow these instructions carefully to complete your assignment. If you have any

questions or need further assistance, don't hesitate to reach out.

Good luck with your assignment!