Upload
chad-brown
View
213
Download
0
Embed Size (px)
Citation preview
8/22/2019 IT 216 Final Group 3
http://slidepdf.com/reader/full/it-216-final-group-3 1/32
Environment Configuration
Servers | Routers | Firewalls | IP’s
Created By:
Oliver Karr
Chad Brown
Matt Graham
8/22/2019 IT 216 Final Group 3
http://slidepdf.com/reader/full/it-216-final-group-3 3/32
GP3ADS001
GP3ADS002
GP3DFS001
AD-Domain Controller
DNS
DFS sync to GP3DFS001
AD-Domain Controller
DNS
DHCP
AD-Tools
DFS sync to GP3ADS001
Exchange 2010: HUB CA Mailbox
RDP-Manager
Win7-1
Win8-1
Win7-2
GP3DMZDNS
WORKGROUP
Stand-alone DNS
WORKGROUP
Stand-alone IIS
WORKGROUP
Exchange 2010: Edge Transport
GP3WEB001
GP3EML001
Client Machines
Corp.Group3.Tech
Corp Servers DMZ Servers
Group3.Tech
8/22/2019 IT 216 Final Group 3
http://slidepdf.com/reader/full/it-216-final-group-3 4/32
Contents
Infrastructure ................................................................................................................................................ 6
Router: Cisco 4507 .................................................................................................................................... 6
Firewall 1 - WAN - 10.145.200.131 LAN - 10.145.223.5 ........................................................................... 6
Firewall 2 - WAN - 10.145.223.6 LAN - 10.145.243.5 ............................................................................... 7
DMZ ............................................................................................................................................................. 13
GP3WEB001 - 10.145.223.8 .................................................................................................................... 17
GP3EML001 - 10.145.223.9..................................................................................................................... 18
GP3DMZDNS - 10.145.223.7 ................................................................................................................... 19
Internal Network ......................................................................................................................................... 19
GP3ADS001 - 10.145.243.10 ................................................................................................................... 19
GP3ADS002 - 10.145.243.11 ................................................................................................................... 20
GP3DFS001- 10.145.243.52 .................................................................................................................... 20
C1 - Set to DHCP ...................................................................................................................................... 21
C2 - Set to DHCP ...................................................................................................................................... 21
C3 - Set to DHCP ...................................................................................................................................... 21
Testing Scenarios and Results ..................................................................................................................... 22
Firewall 1 - WAN - 10.145.200.131 LAN - 10.145.223.5 ......................................................................... 22
Firewall 2 - WAN - 10.145.223.6 LAN - 10.145.243.5 ............................................................................. 23
Proxy Server: ........................................................................................................................................... 24
Web Server: GP3WEB001 - 10.145.223.8 ............................................................................................... 25
E-Mail Server: GP3EML001 - 10.145.223.9 ............................................................................................. 25
DNS: GP3DMZDNS - 10.145.223.7 .......................................................................................................... 26
Configuring a Syslog Server: Installation and Configuration................................................................... 28
Active Directory: GP3ADS001 - 10.145.243.10 ....................................................................................... 29
Active Directory: GP3ADS002 - 10.145.243.11 ....................................................................................... 30
File Share Server: GP3DFS001 - 10.145.243.12 ...................................................................................... 31
8/22/2019 IT 216 Final Group 3
http://slidepdf.com/reader/full/it-216-final-group-3 6/32
Infrastructure
Router: Cisco 4507
The router is preconfigured by ISP (AlanNET) with a public IP range of 10.145.200.131 to 140.
10.145.200.131 for MS-RDP (tested, takes authenticated user to GP3DFS001) 10.145.200.132 for WEB (
10.145.200.133 for DMZDNS
10.145.200.134 for DMZ EMAIL (Mail Enable tested, internal and outgoing mail)
10.145.200.135 for VPN PPTP
10.145.200.136 (Not Assigned)
10.145.200.137 (Not Assigned)
10.145.200.138 (Not Assigned)
10.145.200.139 (Not Assigned)
10.145.200.140 (Not Assigned)
Firewall 1 - WAN - 10.145.200.131 LAN - 10.145.223.5a. “First Line of Defense” configured to route traffic to the DMZ servers and to the WAN port of
Firewall 2.
a. Port Forwarding
b. 1:1 NAT
c. All outgoing traffic is auto configured by pfsense.
8/22/2019 IT 216 Final Group 3
http://slidepdf.com/reader/full/it-216-final-group-3 7/32
b. Rules
a. WAN
Firewall 2 - WAN - 10.145.223.6 LAN - 10.145.243.5
1. Firewall 2 is configured to route traffic from the DMZ zone to the Private LAN.
2. VPN setup for PPTP
a. Configuration
8/22/2019 IT 216 Final Group 3
http://slidepdf.com/reader/full/it-216-final-group-3 8/32
3. Firewall 2 is also configured with Squid, and Squidguard to enable a proxy server for the clients,
as well as an active blacklist for websites that shouldn't be accessed.
a. Proxy Server Settings for client-side.
8/22/2019 IT 216 Final Group 3
http://slidepdf.com/reader/full/it-216-final-group-3 9/32
b. Configuration on firewall
8/22/2019 IT 216 Final Group 3
http://slidepdf.com/reader/full/it-216-final-group-3 10/32
c. Black List rule configuration settings
8/22/2019 IT 216 Final Group 3
http://slidepdf.com/reader/full/it-216-final-group-3 11/32
d. Testing Squid Guard
4. Also has HAVP antiviruses installed which has been tested and confirmed working.
a. Anti-Virus status page
8/22/2019 IT 216 Final Group 3
http://slidepdf.com/reader/full/it-216-final-group-3 12/32
b. Anti-Virus Test Passed. Used www.eicar.org\download\eicar.com.txt
8/22/2019 IT 216 Final Group 3
http://slidepdf.com/reader/full/it-216-final-group-3 13/32
Installing and Configuring Snort:
Fig 1 – Configuring the interface, verifying that Snort is enabled, and that Blocking attacks are
enabled.
8/22/2019 IT 216 Final Group 3
http://slidepdf.com/reader/full/it-216-final-group-3 14/32
Fig 2 – Configuring the global settings of Snort; Installing and configuring the various rules, The Emerging
threats rule, the automatic updates rule, and the logging, and removal of blocked hosts rule.
8/22/2019 IT 216 Final Group 3
http://slidepdf.com/reader/full/it-216-final-group-3 15/32
Fig 3 – Under the If Settings tab and configuring the interface to these specific settings
8/22/2019 IT 216 Final Group 3
http://slidepdf.com/reader/full/it-216-final-group-3 16/32
Fig 4- Under the Preprocessors tab and enabling the following options: “Collect Performance Statisticsfor this interface” & “Use HTTP Inspect to Normalize/Decode and detect HTTP traffic and protocol
anomalies”
8/22/2019 IT 216 Final Group 3
http://slidepdf.com/reader/full/it-216-final-group-3 17/32
Fig 5 – In the Preprocessors tab. Selecting to enable the following options under “Portscan Settings”
section. Also enabling the following options in the “General Preprocessor Settings” section.
DMZ
GP3WEB001 - 10.145.223.8
1. Server 2008 R2 Service Pack 1
a. GP3WEB001 is not joined to a domain but instead left on WORKGROUP.
2. Enabled remote desktop NLA
3. Added local Administrator account for each administrator on the network.
a. Added each Administrator to the RDP-NLA access list
4. The Firewall 1 Has the PAT setup to redirect:80 traffic to the Web Server.
8/22/2019 IT 216 Final Group 3
http://slidepdf.com/reader/full/it-216-final-group-3 18/32
5. The Web server is hosting the public website for our Group3.com.
6. Downloaded a HTML template and placed it within the C:\Inetpub\wwwroot directory
a. IIS default website, created during installation, is using the Index.html file of the
template to display our website
b. An A record in corp.group3.tech was created to point to the DMZWEB server. Later a
group policy will be created to have all users default homepage load as our website.
i. Corpweb 10.145.223.8
c. The website is accessible from the public and other Group# companies.
d. Once our DMZDNS is registered with AlanNet our A and MX records will lead our public
searchers to our website.
GP3EML001 - 10.145.223.9
1. Server 2008 R2 Service Pack 1
a. GP3EML001 is not joined to a domain but instead left on WORKGROUP.
b. The Network is set to group3.tech (see the two images below)
2. Enabled remote desktop NLA
3. Added local administrator account for each administrator on the network.
a. Also added each admin to the RDP-NLA access list
4. Installed Exchange 2010
a. Edge Transport Role with Management Tools
i. Once Transport role is installed the remaining steps is completed by the HUB
Transport in corp vlan. Use the following command “New-EdgeSubscription -
FileName "C:\EdgeSubscriptionInfo.xml" ” to generate a Subscription on the
EDGE; this is how the HUB can control the edge server. Copy the XML file to the
GP3DFS001 and import the Edge Server.
b. The Firewall 1 has the PAT\NAT setup to redirect: 25 traffic to the email Server
10.145.223.9.
8/22/2019 IT 216 Final Group 3
http://slidepdf.com/reader/full/it-216-final-group-3 19/32
c. Ensure either the HOST file or DMZDNS is modified with the 10.145.223.6 GP3DFS001
d. Ensure the FW2 has DNS 53 and 586 port forwarded to the LAN address (not specific
machine)
i. This allows both DNS servers to listen and the Exchange Hub Role to listen as
well.
5. Roles Installed - Active Directory Lightweight Directory Services, Web Server (IIS)
6. Features Installed - RPC over HTTP Proxy, Remote Server Administration Tools, Role
Administration Tools, AD DS and AD LDS Tools, AD DS Snap-Ins and Command-Line Tools, Active
Directory Administrative Center, Server for NIS Tools, AD LDS Snap-Ins and Command-Line Tools,
Active Directory module for Windows PowerShell, Web Server (IIS) Tools, Windows Process
Activation Service, Process Model, .Net Environment, Configuration APIs, .Net Framework 3.5.1
Features
GP3DMZDNS - 10.145.223.7
1. Server 2008 R2 Service Pack 1
a. GP3EML001 is not joined to a domain but instead left on WORKGROUP.
b. The Network is set to group3.tech (see the two images below)
2. Enabled remote desktop NLA
3. Added local administrator account for each administrator on the network.
a. Also added each admin to the RDP-NLA access list
4. DNS is installed as a standalone server, as it is not joined to the domain.
a. The TCP/IP settings are set to its self and 8.8.8.8 (googleDNS).
b. The Zone Transfer is set to Any Server.
i. The corp dns is setup to pull this server’s DNS entries as a STUB zone.
c. Each A-Record is created manually as the servers do not create or update the records as
they change.
5. Roles Installed - DNS Server
6. Features Installed - Remote Server Administration Tools, Role Administration Tools, DNS Server
Tools
7. Created A records for:
a. Each DMZ server
b. Corpweb, internal website
c. Pfsense, to easily access the pfsense firewall
Internal Network
GP3ADS001 - 10.145.243.10
1. Server 2008 R2 Service Pack 1
2. Active Directory
a. Domain Name: Corp.Group3.Tech
3. DNS (primary)
8/22/2019 IT 216 Final Group 3
http://slidepdf.com/reader/full/it-216-final-group-3 20/32
4. File Services
a. Distribution File Services
i. Uses 2nd HDD for DFS replication to GP3DFS001 and hosts
\\corp.group3.tech\cloud namespace
GP3ADS001 is the first Domain Controller for Corp.Group3.tech . All 5 of the FSMO roles are
present on this server as Exchange had issues installing when the Infrastructure Operation
Master was on GP3ADS002. DNS is installed for Active Directory. These records, for the most
part, are updated as machines are added and removed. A few additional configurations is
adding the reverse lookup zones for the CORP and DMZ networks, adding “STUB” zones for the
DMZ (Ensure the DMZ DNS Name Server IP is not the loopback). Distributed File Services is
installed and replicated to GP3DFS001.
GP3ADS002 - 10.145.243.111. Server 2008 R2 Service Pack 1
2. Active Directory
a. Domain Name: Corp.Group3.Tech
3. Enabled remote desktop NLA
4. DNS (secondary)
5. DHCP
a. Subnet: 10.145.243.50 – 100
b. DNS: 10.145.243.10, 10.145.243.11
c. Gateway set to 10.145.243.5
GP3DFS001- 10.145.243.52
1. Server 2008 R2 Service Pack 1
2. Features Installed - RPC over HTTP Proxy, Remote Server Administration Tools, Role
Administration Tools, AD DS and AD LDS Tools, AD DS Snap-Ins and Command-Line Tools, Active
Directory Administrative Center, Server for NIS Tools, Active Directory Module for Windows
PowerShell, File Services Tools, Distributed File System Tools, Web Server (IIS) Tools, Feature
Administration Tools, Failover Clustering Tools, Telnet Client, Windows Process Activation
Service, Process Model, .NET Environment, Configuration APIs, .NET Framework 3.5.1 Features,
WCF Activation, HTTP Activation, Non-HTTP Activation
3.
Active Directory Services Installed (not a DC)a. Domain Name: Corp.Group3.Tech
4. Enabled remote desktop NLA
a. Firewall 1 passes port 3389 from internet to Firewall2 WAN. Firewall2 passes 3389 from
DMZ WAN to GP3DFS001. From here we can manage the whole environment.
5. Install Remote Desktop Manager from Microsoft.com
a. Configure RDP list for EACH server and Client
8/22/2019 IT 216 Final Group 3
http://slidepdf.com/reader/full/it-216-final-group-3 21/32
6. Install role DFS
a. GP3DFS001 is a Distributed File Server with GP3ADS001
7. Install Exchange 2010 HUB, CA & Mailbox Roles
a. Sync with GP3EML001 in the DMZ using the Edge generated sub transcript.
b. The HUB server is the only way to edit the settings on the Edge Transport server.
c. Added the additional SMTP receives connectors (FQDN) and send connectors (FQDN).
d. Ensure DNS can resolve from Corp to DMZ (edge server IP) Corp to Internet and DMZ to
Internet.
i. Use PING and NSLOOKUP commands to test\diagnose.
NOTE: Exchange successfully sent mail internally and to internet email accounts e.g. Gmail or
Hotmail.
C1 - Set to DHCP
1. Windows 7: Service Pack 1
a.
Joined To Domain: Corp.Group3.Tech2. Enabled remote desktop NLA
3. Installed Office
a. Outlook – Auto config to mailbox per user account upon first open
C2 - Set to DHCP
1. Windows 7: Service Pack 1
a. Joined To Domain: Corp.Group3.Tech
2. Enabled remote desktop NLA
3. Installed Office
a. Outlook – Auto config to mailbox per user account upon first open
C3 - Set to DHCP
1. Windows 8:
a. Joined To Domain: Corp.Group3.Tech
2. Enabled remote desktop NLA
3. Installed Office
a. Outlook – Auto config to mailbox per user account upon first open
8/22/2019 IT 216 Final Group 3
http://slidepdf.com/reader/full/it-216-final-group-3 22/32
Testing Scenarios and Results
Objectives: Testing the Infrastructure of Firewall #1, Firewall #2, Web Server, DNS Server,
Internal Network, Active Directory Server, DHCP, VPN, E-Mail, Proxy Server with Anti-Virus
Installed, Accessing The Group 3 Website & Installing and Configuring a Syslog Server
Firewall 1 - WAN - 10.145.200.131 LAN - 10.145.223.5
Acce ss in g Fi re wa ll #1 thro ugh PfSe nse
8/22/2019 IT 216 Final Group 3
http://slidepdf.com/reader/full/it-216-final-group-3 23/32
Firewall 2 - WAN - 10.145.223.6 LAN - 10.145.243.5
Acce ss in g Fi re wa ll #2 thro ugh PfSe nse
8/22/2019 IT 216 Final Group 3
http://slidepdf.com/reader/full/it-216-final-group-3 24/32
Proxy Server:
HAVP is setup properly and is fully operational
Af te r tr yi ng to gain access to an in ap pr op ria te we bs it e we ca n see tha t ju st
like HAVP. Squidguard is setup properly, and is fully operational
8/22/2019 IT 216 Final Group 3
http://slidepdf.com/reader/full/it-216-final-group-3 25/32
Web Server: GP3WEB001 - 10.145.223.8
On the Web Server, In the command line prompt and running a tra ce route
to group3.tech
Acce ss in g the Group 3 We bs it e http://www.group3.tech
E-Mail Server: GP3EML001 - 10.145.223.9
8/22/2019 IT 216 Final Group 3
http://slidepdf.com/reader/full/it-216-final-group-3 26/32
Sent and received E-mail between Group 3 and Group 1
E-Mail sent, received and replied to [email protected]
DNS: GP3DMZDNS - 10.145.223.7
8/22/2019 IT 216 Final Group 3
http://slidepdf.com/reader/full/it-216-final-group-3 27/32
Using the command line prompt for the Web Server and pinging the DNS ma chine “GP3DMZDNS - 10.145.223.7”
In the DNS machine “GP3DMZDNS - 10.145.223.7” and viewing the ARecords from the Server Manager
8/22/2019 IT 216 Final Group 3
http://slidepdf.com/reader/full/it-216-final-group-3 28/32
Configuring a Syslog Server: Installation and Configuration
Configure Remote logging from the internal and external firewalls
Configure PFsense Firewall 2 with a LAN and WAN rule allowing port 514
to send to the DMZDNS server. ”Please Note: Had to create a rule to
allow Port #514 through WAN ”
8/22/2019 IT 216 Final Group 3
http://slidepdf.com/reader/full/it-216-final-group-3 29/32
Checked statistics to make sure the syslog server is receiving logs from both
firew al ls
Active Directory: GP3ADS001 - 10.145.243.10
8/22/2019 IT 216 Final Group 3
http://slidepdf.com/reader/full/it-216-final-group-3 30/32
Acce ss in g the Se rv er Mana ge r in the Act iv e Di recto ry Mac hine “GP3ADS001
- 10.145.243.10” and showing that all the necessary roles are installed
Active Directory: GP3ADS002 - 10.145.243.11
DHCP
8/22/2019 IT 216 Final Group 3
http://slidepdf.com/reader/full/it-216-final-group-3 31/32
Acce ss in g the Se rv er Mana ge r In the Act iv e Di re ctory Machine “GP3ADS002
- 10.145.243.11” and showing that the DHCP Server is correctly confi gured
File Share Server: GP3DFS001 - 10.145.243.12
Distributed File System installed as a Role, With Corp.Group3 .Tech successfully
replicated under the sub-folder entitled Cloud1
Remote Desktop Hub to environment