A.2.2 Pro Domain 2: Physical and Network Security
The Fiji router has been configured with Standard IP Access List 11. The access list is applied to the Fa0/0 interface. The access list must allow all traffic except traffic coming from hosts 192.168.1.10 and 192.168.1.12. However, you've noticed that it's preventing all traffic from being sent on Fa0/0. You remember that access lists contain an implied deny any statement. This means that any traffic not permitted by the list is denied. For this reason, access lists should contain at least one permit statement or all traffic is blocked. In this lab, your task is to: Add a permit any statement to Access List 11 to allow all traffic other than the restricted traffic. Save your changes in the startup-config file.
From the exhibit, select the Fiji router. From the terminal, press Enter. Type enable and then press Enter. Type config term and then press Enter. Type access-list 11 permit any and press Enter. Press Ctrl + Z. Type copy run start and then press Enter. Press Enter to begin building the configuration. Press Enter.
You are the IT security administrator for a small corporate network. You need to increase the security on the switch in the Networking Closet by creating an access control list. You have been asked to prevent video game consoles from connecting to the switch. In this lab, your task is to: Create a MAC-based ACL named GameConsoles. Configure the GameConsoles MAC-based access control entry (ACE) settings as follows Bind the GameConsoles ACL to all of the GE1-GE30 interfaces. Save the changes to the switch's startup configuration file. Use the default settings.
From the Getting Started page, under Quick Access, select Create MAC-Based ACL. Select Add. In the ACL Name field, enter GameConsoles Click Apply and then click Close. Select MAC-Based ACE Table. Select Add. Enter the priority. Select the action. For Destination MAC Address, make sure Any is selected. For Source MAC Address, select User Defined. Enter the source MAC address value. Enter the source MAC address mask. Click Apply. Repeat steps 2c-2i for additional ACE entries. Click Close. From the left pane, under Access Control, select ACL Binding (Port). Select GE1. At the bottom of the window, select Edit. Click Select MAC-Based ACL. Select Apply and then select Close. Select Copy Settings. In the Copy configuration's to field, enter 2-30. Click Apply. From the top of the window, select Save. Under Source File Name, make sure Running configuration is selected. Under Destination File Name, make sure Startup configuration is selected. Click Apply. Click OK.
You are a network technician for a small corporate network. You want to take advantage of the self-healing features provided by the small enterprise wireless solution you've implemented. You're already logged in as WxAdmin on the Wireless Controller console from ITAdmin. In this lab, your task is to: Configure self-healing on the wireless network.Automatically adjust AP radio power to optimize coverage when interference is present.Set 2.4 GHz and 5 GHz radio channels to use the Background Scanning method to adjust for interference. Configure the background scanning needed for rogue device detection, AP locationing, and self-healing. Background scans should be performed on all radios every 30 seconds. Configure load balancing for all radios by adjusting the threshold to 40 dB. Configure band balancing to allow no more than 30% of clients to use the 2.4 GHz radios. Reduce the power levels to -3 dB for three access points in Building A to reduce RF emanations. Use the wireless survey results in the exhibit to identify the access points.
From the top, select the Configure tab. From the left menu, select Services. Under Self-Healing, select Automatically adjust AP radio power to optimize coverage when interference is present. Using the Automatically adjust 2.4GHz channels using drop-down menu, select Background Scanning from the drop-down menu. Using the Automatically adjust 5GHz channels using drop-down menu, select Background Scanning from the drop-down menu. On the right, select Apply. Select Run a background scan on 2.4GHz radio. Enter 30 seconds. Select Run a background scan on 5GHz radio. Enter 30 seconds. On the right, select Apply. Select Run load balancing on 2.4GHz radio. In the Adjacent radio threshold(dB) field, enter 40. Select Run load balancing on 5GHz radio. In the Adjacent radio threshold(dB) field, enter 40. On the right, select Apply. Select Percent of clients on 2.4GHz radio. Enter the 30. On the right, select Apply. From the left menu, select Access Points. From the top right, select Exhibit to determine which access points to adjust. Select Edit next to the access point to be modified. Under Radio B/G/N(2.4G) next to TX Power, make sure Override Group Config is selected. From the TX Power drop-down list, select -3dB (1/2). Under Radio A/N/AC(5G) next to TX Power, make sure Override Group Config is selected. From the TX Power drop-down list, select -3dB (1/2). Select OK. Repeat steps 5b - 5h for additional access points.
You work as the IT security administrator for a small corporate network. Occasionally, you and your co-administrators need to access internal resources when you are away from the office. You would like to set up a Remote Access VPN using pfSense to allow secure access. In this lab, your task is to use the pfSense wizard to create and configure an OpenVPN Remote Access server using the following guidelines: Sign in to pfSense using:Username: adminPassword: P@ssw0rd (zero) Create a new certificate authority certificate using the following settings:Name: CorpNet-CACountry Code: GBState: CambridgeshireCity: WoodwaltonOrganization: CorpNet Create a new server certificate using the following settings:Name: CorpNetCountry Code: GBState: CambridgeshireCity: Woodwalton Configure the VPN server using the following settings:Interface: WANProtocol: UDP on IPv4 onlyDescription: CorpNet-VPNTunnel network IP: 198.28.20.0/24Local network IP: 198.28.56.18/24Concurrent Connections: 4DNS Server 1: 198.28.56.1 Configure the following:A firewall ruleAn OpenVPN rule Set the OpenVPN server just created to Remote Access (User Auth). Create and configure the following standard remote VPN users:
In the Username field, enter admin. In the Password field, enter P@ssw0rd (zero). Select SIGN IN or press Enter. From the pfSense menu bar, select VPN > OpenVPN. From the breadcrumb, select Wizards. Under Select an Authentication Backend Type, make sure Local User Access is selected. Select Next. For Descriptive Name, enter CorpNet-CA. For Country Code, enter GB. For State, enter Cambridgeshire. For City, enter Woodwalton. For Organization, enter CorpNet. Select Add new CA. For Descriptive Name, enter CorpNet. Verify that all of the previous changes (Country Code, State/Providence, and City) are the same. Use all other default settings. Select Create new Certificate. Under General OpenVPN Server Information: Use the Interface drop-down menu to select WAN. Verify that the Protocol is set to UDP on IPv4 only. For Description, enter CorpNet-VPN. Under Tunnel Settings: For Tunnel Network, enter 198.28.20.0/24. For Local Network, enter 198.28.56.18/24. For Concurrent Connections, enter 4. Under Client Settings, in DNS Server1, enter 198.28.56.1. Select Next. Under Traffic from clients to server, select Firewall Rule. Under Traffic from clients through VPN, select OpenVPN rule. Select Next. Select Finish. For the WAN interface, select the Edit Server icon (pencil). For Server mode, use the drop-down and select Remote Access (User Auth). Scroll to the bottom and select Save. From the pfSense menu bar, select System > User Manager. Select Add. Configure the User Properties as follows: Username: Username Password: Password Full name: Fullname Scroll to the bottom and select Save. Repeat steps 8b-8d to created the remaining VPN users.
As an IT administrator, you need to know how security breaches are caused. You know that SMAC is used for MAC spoofing, so you are going to spoof your MAC address. In this lab, your task is to complete the following: On Office2, use ipconfig /all and find the IP address and MAC address. Using SMAC, spoof the MAC address on ITAdmin to match that of Office2. Refresh the IP address on ITAdmin. Verify the MAC and IP address now match Office2.
Right-click Start and then select Windows PowerShell (Admin). From the Command Prompt, type ipconfig /all and press Enter. Find the MAC address. From the top navigation tabs, select Floor 1 Overview. Under IT Administration, select ITAdmin. In the Windows search bar, type SMAC. Under Best match, right-click SMAC and select Run as administrator. In the New Spoofed Mac Address field, type 00:00:55:55:44:15 (the MAC address from Office2). Select Update MAC. Select OK to confirm the adapter restart. Right-click Start and select Windows PowerShell (Admin). From the Command Prompt, type ipconfig /renew to renew the IP address. Type ipconfig /all to confirm the MAC address and the IP address have been updated.
Based on a review of physical security at your office, you have recommended several improvements. Your plan includes installing smart card readers, IP cameras, signs, and an access log book. In this lab, your task is to: Implement your physical security plan by dragging the correct items from the shelf onto the various locations in the building. As you drag the items from the shelf, the possible drop locations are highlighted. To implement your plan, you must: Install two IP security cameras in the appropriate location to record which employees access the key infrastructure. The security cameras should operate over the TCP/IP network. Install the smart card key readers in the appropriate location to control access to key infrastructure. The key card readers should be contactless and record more information than the card's ID. Install a Restricted Access sign on the networking closet door to control access to the infrastructure. Install the visitor log on the lobby desk.
From the Shelf, expand CCTV Cameras. Drag the IP Security Camera from the shelf to the highlighted circle inside the networking closet. Drag the IP Security Camera from the shelf to the highlighted circle just outside the networking closet. From the Shelf, expand Door Locks. Drag a smart card reader from the shelf to the highlighted location outside the building's front door. Drag a smart card reader from the shelf to the highlighted location outside the networking closet's door. From the Shelf, expand Restricted Access Signs. Drag the Restricted Access sign from the shelf to the networking closet door. From the Shelf, expand Visitor Logs. Drag the visitor log from the shelf to the lobby desk.
You are in the process of configuring a new router. The router interfaces connect to the following networks: Only Telnet and SSH access from these three networks should be allowed. In this lab, your task is to: Use the access-list command to create a standard numbered access list using number 5. Add a permit statement for each network to the access list. Use the access-class command to apply the access list to VTY lines 0-4. Use the in direction to filter incoming traffic. Save your changes in the startup-config file.
From the exhibit, select the router. From the terminal, press Enter. Type enable and then press Enter. Type config term and then press Enter. Type access-list 5 permit 192.168.1.0 0.0.0.255 and then press Enter. Type access-list 5 permit 192.168.2.0 0.0.0.255 and then press Enter. Type access-list 5 permit 192.168.3.0 0.0.0.255 and then press Enter. Type line vty 0 4 and then press Enter. Type access-class 5 in and then press Enter. Press Ctrl + Z. Type copy run start and then press Enter. Press Enter to begin building the configuration. Press Enter.
You are the IT security administrator for a small corporate network. You need to increase the security on the switch in the Networking Closet by restricting access management and by updating the switch's firmware. In this lab, your task is to: Create an access profile named MgtAccess and configure it with the following settings Set the MgtAccess profile as the active access profile. Save the changes to the switch's startup configuration file using the default settings. Update the firmware image to the latest version by downloading the firmware files found in C:\Sx300_Firmware\Sx300_FW-1.2.7.76.ros.
From the left pane, expand and select Security > Mgmt Access Method > Access Profiles. Select Add. Enter the Access Profile Name of MgtAccess. Enter the Rule Priority of 1. For Action, select Deny. Select Apply and then select Close. From the left pane, under Security > Mgmt Access Method, select Profile Rules. Select the MgtAccess profile and then select Add. Enter a Rule Priority of 2. For Management Method, select HTTP. For Applies to Source IP Address, select User Defined. For IP Address, enter 192.168.0.10. Enter the 255.255.255.0. Select Apply and then select Close. From the left pane, under Security > Mgmt Access Method, select Access Profiles. Use the Active Access Profile drop-down list to select MgtAccess. Select Apply. Select OK. At the top, select Save. For Source File Name, make sure Running configuration is selected. For Destination File Name, make sure Startup configuration is selected. Select Apply. Select OK. From the left pane, select Getting Started. Under Quick Access, select Upgrade Device Software. For File Name, select Choose File. Browse to and select C:\Sx300_Firmware\Sx300_FW-1.2.7.76.ros. Select Open. Select Apply. Select OK. From the left pane, under File Management, select Active Image. For Active Image After Reboot, use the drop-down menu to select Image 2. Select Apply. From the left pane under Administration, select Reboot. From the right pane, select Reboot. Select OK.
You are a network technician for a small corporate network. You just installed a Ruckus zone controller and wireless access points throughout your office buildings using wired connections. You now need to configure basic wireless network settings. In this lab, your task is to: Create a WLAN using the following settings:Name: CorpNet WirelessESSID: CorpNetType: Standard UsageAuthentication: OpenEncryption: WPA2Encryption algorithm: AESPassphrase: @CorpNetWeRSecure! Connect the Exec-Laptop in the Executive office to the new wireless network.
From the taskbar, open Chrome. In the URL field, enter 192.168.0.6 and press Enter. Maximize the window for easier viewing. In the Admin field, enter admin (case sensitive). In the Password field, enter password as the password. Select Login. Select the Configure tab. From the left menu, select WLANs. Under WLANs, select Create New. In the New Name field, enter the CorpNet Wireless. In the ESSID field, enter the CorpNet. Under Type, make sure Standard Usage is selected. Under Authentication Options, make sure Open is selected. Under Encryption Options, select WPA2. Under Algorithm, make sure AES is selected. In the Passphrase field, enter @CorpNetWeRSecure!. Select OK. Using the navigation tabs at the top of the screen, select Floor 1. Under Executive Office, select Exec-Laptop. In the notification area, select the wireless network icon to view the available networks. Select CorpNet. Select Connect. Enter @CorpNetWeRSecure! for the security key. Select Next. Select Yes to make the computer discoverable on the network. The CorpNet network now shows as being connected and secured.
You are a network technician for a small corporate network. You would like to enable Wireless Intrusion Prevention on the wireless controller. You are already logged in as WxAdmin. In this lab, your task is to: Configure the wireless controller to protect against denial-of-service (DOS) attacks as follows:Protect against excessive wireless requests.Block clients with repeated authentication failures for two minutes (120 seconds). Configure Intrusion Detection and Prevention as follows:Report all rogue devices regardless of type.Protect the network from rogue access points. Enable Rogue DHCP Server Detection.
From the taskbar, open Google Chrome. In the URL field, enter 192.168.0.6 and press Enter. Maximize the window for easier viewing. Select the Configure tab. From the left menu, select WIPS. Under Denial of Services(DoS), select Protect my wireless network against excessive wireless requests. Select Temporarily block wireless clients with repeated authentication failures. Enter 120 seconds. On the right, select Apply. Under Intrusion Detection and Prevention, select Enable report rogue devices. Select Report all rogue devices. Select Protect the network from malicious rogue access points. On the right, select Apply. Select Enable rogue DHCP server detection and then select Apply.
You are the IT security administrator for a small corporate network. You need to increase the networking closet's security by implementing a CCTV system with IP cameras. As part of this task, you need to separate the CCTV data traffic on the network using a separate VLAN on the switch. The patch panel connections for the networking closet, lobby, and IT administration office are installed and ready for use (ports 18-20). A DHCP server is already configured to provide the IP cameras and the laptop in the IT administration office with the correct TCP/IP settings (port 21). For an easier implementation, create the logical VLAN first and then establish the physical connections of the IP cameras and the laptop. In this lab, your task is to perform the following: Access the switch management console from ITAdmin using the following credentials:Address: http://192.168.0.2Username: ITSwitchAdminPassword: Admin$only (the password is case-sensitive) Create and configure a VLAN on the switch as follows:VLAN ID: 2VLAN Name: IPCamerasConfigure ports GE18, GE19, GE20, GE21 as untagged.. In the lobby and networking closet, perform the following:Connect a Cat5e cable to the RJ-45 ports on the IP camera and the IP camera wall plate.Mount the IP camera on the wall plate. In the networking closet, connect the DHCP server to the VLAN using a Cat5e cable from switch port 21 to patch panel port 21 in the rack. In the IT administration office, connect a Cat5e cable to the laptop's network port and the open port on the wall plate. On IT-Laptop2, verify the VLAN configuration and IP camera installation as follows:Select Start > IP Cameras.Verify that the program detects the IP cameras on the VLAN 2 network.
From the taskbar, open Google Chrome. Maximize the window for easier viewing. In the URL field, enter 192.168.0.2 and press Enter. For Username, enter ITSwitchAdmin. For Password, enter Admin$only (password is case-sensitive). Select Log In. From the Getting Started pane, under Initial Setup, select Create VLAN. Select Add. For VLAN ID, enter 2. For VLAN Name, enter IPCameras. Select Apply. Select Close. From the left pane, under VLAN Management, select Port to VLAN. From the the VLAN ID equals to drop-down menu, select 2. Select Go. For ports GE18, GE19, GE20, and GE21, select Untagged. Select Apply. From the top navigation area, select Floor 1. Under Lobby, select Hardware. Under Shelf, expand CCTV Cameras. Drag the IP Camera (Lobby) to the workspace. Under Workspace for the IP camera, select Back to switch to the back view of the IP camera. Under Shelf, expand Cables and then select a Cat5e Cable, RJ45. Under Selected Component, drag a RJ45 Connector to the RJ-45 port on the IP Camera wall mount plate. From the wall plate's Partial Connections list, drag the other connector to the RJ-45 port on the back of the IP camera. Drag the IP camera to the IP camera wall plate. From the top navigation area, select Floor 1. Under Networking Closet, select Hardware. Under Shelf, expand CCTV Cameras. Drag the IP Camera (Networking Closet) to the workspace. Under Workspace for the IP camera, select Back to switch to the back view of the IP camera. Under Shelf, expand Cables and then select Cat5e Cable, RJ45. Under Selected Component, drag a RJ45 Connector to the RJ-45 port on the IP Camera mount wall plate. Under Selected Component, drag the unconnected RJ45 cable to the RJ-45 port on the back of the IP camera. To mount the IP camera, drag the IP camera to the IP camera wall plate. In the networking closet, under Shelf, select a Cat5e Cable, RJ45. Under Selected Component, drag a RJ45 Connector to port 21 on the switch. Under Selected Component, drag the unconnected RJ45 Connector to port 21 on the patch panel. Under the laptop's workspace, select Front. On the IT-Laptop2, select Click to view Windows 10. From the taskbar, select Start. Select IP Cameras. Verify that both cameras are detected on the network.
You are the IT security administrator for a small corporate network. You need to secure access to your switch, which is still configured with the default settings. In this lab, your task is to: Create a new user account with the following settings:Username: ITSwitchAdminPassword: Admin$only1844User Level: Read/Write Management Access (15) Edit the default user account as follows:Username: ciscoPassword: CLI$only1958User Level: Read-Only CLI Access (1) Save the changes to the switch's startup configuration file.
From the taskbar, select Google Chrome. In the URL field, enter 192.168.0.2 and press Enter. Maximize the window for easier viewing. In the Username and Password fields, enter cisco (case sensitive). Select Log In. From Getting Started under Quick Access, select Change Device Password. Select Add. For the username, enter ITSwitchAdmin (case sensitive). For the password, enter Admin$only1844 (case sensitive). For Confirm Password, enter Admin$only1844. For User Level, make sure Read/Write Management Access (15) is selected. Select Apply. Select Close. Under User Account Table, select cisco (the default user) and then select Edit. For the password, enter CLI$only1958. For Confirm Password, enter CLI$only1958. For User Level, select Read-Only CLI Access (1). Select Apply. From the top of the switch window, select Save. Under Source File Name, make sure Running configuration is selected. Under Destination File Name, make sure Startup configuration is selected. Select Apply. Select OK. Select Done.
You are a network technician for a small corporate network. You need to increase the security of your wireless network. Your new wireless controller provides several security features that you want to implement. In this lab, your task is to: Change the admin username and password for the Zone Director controller to the following:Admin Name: WxAdminPassword: ZDAdminsOnly!$ (O is the capital letter O) Set up MAC address filtering (L2 Access Control) to create a whitelist called Allowed Devices that includes the following wireless devices:00:18:DE:01:34:6700:18:DE:22:55:9900:02:2D:23:56:8900:02:2D:44:66:88 Implement a device access policy called NoGames that blocks gaming consoles from the wireless network.
From the taskbar, select Google Chrome. In the URL field, enter 192.168.0.6 and press Enter. Maximize the window for easier viewing. In the Admin field, enter admin (case sensitive). In the Password field, enter password as the password. Select Login. From the top, select the Administer tab. Make sure Authenticate using the admin name and password is selected. In the Admin Name field, enter WxAdmin. In the Current Password field, enter password. In the New Password field, enter ZDAdminsOnly!$. In the Confirm New Password field, enter ZDAdminsOnly!$. On the right, select Apply. From the top, select the Configure tab. From the left menu, select Access Control. Expand L2-L7 Access Control. Under L2/MAC address Access Control, select Create New. In the Name field, enter Allowed Devices. Under Restriction, make sure Only allow all stations listed below is selected. Enter a MAC address. Select Create New. Repeat step 4g-4h for each MAC address you would like to add to the ACL. Select OK. Under Access Control, expand Device Access Policy. Select Create New. In the Name field, enter NoGames. Select Create New. In the Description field, enter Games. Using the OS/Type drop-down list, select Gaming. In the Type field, select Deny. Under Uplink, make sure Disabled is selected. Under Downlink, make sure Disabled is selected. Select Save. Select OK.
You are a network technician for a small corporate network. You need to enable BYOD Guest Access Services on your network for guests and employees that have mobile phones, tablets, and personal computers. In this lab, your task is to perform the following: Access the Wireless Controller console through Google Chrome on http://192.168.0.6.Username: admin (case sensitive)password: password Set up Guest Access Services using the following parameters:Name: Guest_BYODAuthentication: Use guest pass authenticationThe guest should be presented with your terms of use statement and then allowed to go to the URL he or she was trying to access.Verify that 192.168.0.0/16 is on the list of restricted subnets. Create a guest WLAN using the following parameters:Network name: GuestESSID: Guest_BYODType: Guest AccessAuthentication: OpenEncryption Method: NoneGuest Access Service: Guest_BYODIsolate guest wireless clients from other clients on the access point. Open a new Google Chrome window and request a guest pass using the BYODAdmin user as follows:URL: 192.168.0.6/guestpassUsername: BYODAdmin (case sensitive)Password: P@ssw0rd (0 is a zero)Use any full name in the Full Name field.Make a note of or copy and paste the key in the Key field. Use the key from the guest pass request to authenticate to the wireless LAN Guest_BYOD from the Gst-Lap laptop computer in the Lobby.
From the taskbar, select Google Chrome. In the URL field, enter 192.168.0.6 and then press Enter. Maximize the window for easier viewing. In the Admin field, enter admin (case sensitive). In the Password field, enter password as the password. Select Login. Select the Configure tab. From the left menu, select Guest Access. Under Guest Access Service, select Create New. Change the Name field to Guest_BYOD. For Terms of Use, select Show terms of use. Expand Restricted Subnet Access. Verify that 192.168.0.0/16 is listed. Select OK. From the left menu, select WLANs. Under WLANs, select Create New. Change the Name to Guest. Change the ESSID to Guest_BYOD. Under Type, select Guest Access. For Wireless Client Isolation, select Isolate wireless client traffic from other clients on the same AP. Select OK. Close Google Chrome. Open a new Google Chrome browser window. In the URL field, enter 192.168.0.6/guestpass and then press Enter. Maximize the window for easier viewing. In the Username field, enter BYODAdmin (case sensitive). Enter P@ssw0rd as the password (0 is a zero). Select Log In. In the Full Name field, enter any full name. In the Key field, highlight the key and press Ctrl + C to copy the key. Select Next. From the top menu, select Floor 1. Select Gst-Lap in the lobby. In the notification area, select the Network icon. Select Guest_BYOD. Select Connect. Select Yes. After Internet Explorer opens to the Guest Access login page, paste the key from the Key field. Select Log In.
You work as the IT security administrator for a small corporate network. You need to secure access to your pfSense appliance, which is still configured with the default user settings. In this lab, your task is to: Change the password for the default pfSense account from pfsense to P@ssw0rd (use a zero). Create a new administrative user with the following parameters:Username: zolsenPassword: St@yout!Full Name: Zoey OlsenGroup Membership: admins Set a session timeout of 15 minutes for pfSense. Disable the webConfigurator anti-lockout rule for HTTP.
From the taskbar, select Google Chrome. Maximize the window for better viewing. In the Google Chrome address bar, enter 198.28.56.18 and then press Enter. Enter the pfSense sign-in information as follows: Username: admin Password: pfsense Select SIGN IN. From the pfSense menu bar, select System > User Manager. For the admin account, under Actions, select the Edit user icon (pencil). For the Password field, change to P@ssw0rd (use a zero). For the Confirm Password field, enter P@ssw0rd. Scroll to the bottom and select Save. Select Add. For Username, enter zolsen. For the Password field, enter St@yout!. For the Confirm Password field, enter St@yout! For Full Name, enter Zoey Olsen. For Group Membership, select admins and then select Move to Member of list. Scroll to the bottom and select Save. Under the System breadcrumb, select Settings. For Session timeout, enter 15. Select Save. From the pfSense menu bar, select System > Advanced. Under webConfigurator, for Protocol, select HTTP. Select Anti-lockout to disable the webConfigurator anti-lockout rule. Scroll to the bottom and select Save.
You are an IT security administrator for a small corporate network. To increase security for the corporate network, you have installed the pfSense network security appliance in your network. Now you need to configure the device. In this lab, your task is to configure pfSense as follows: Sign in to pfSense using the following case-sensitive information:URL: 198.28.56.18Username: adminPassword: pfsense Configure the DNS servers as follows:Primary DNS server: 163.128.78.93 - Hostname: DNS1Secondary DNS server: 163.128.80.93 - Hostname: DNS2 Configure the WAN IPv4 information as follows:Enable the interface.Use a static IPv4 address of 65.86.24.136/8Add a new gateway using the following information:Type: Default gatewayName: WANGatewayIP address: 65.86.1.1
From the taskbar, select Google Chrome. Maximize the window for better viewing. In the address bar, type 198.28.56.18 and then press Enter. Sign in using the following case-sensitive information: Username: admin Password: pfsense Select SIGN IN or press Enter From the pfSense menu bar, select System > General Setup. Under DNS Server Settings, configure the primary DNS Server as follows: Address: 163.128.78.93 Hostname: DNS1 Gateway: None Select Add DNS Server to add a secondary DNS Server and then configure it as follows: Address: 163.128.80.93 Hostname: DNS2 Gateway: None Scroll to the bottom and select Save. From pfSense menu bar, select Interfaces > WAN. Under General Configuration, select Enable interface. Use the IPv4 Configuration Type drop-down to select Static IPv4. Under Static IPv4 Configuration, in the IPv4 Address field, enter 65.86.24.136. Use the IPv4 Address subnet drop-down to select 8. Under Static IPv4 Configuration, select Add a new gateway. Configure the gateway settings as follows: Default: Select Default gateway Gateway name: Enter WANGateway Select Add. Scroll to the bottom and select Save. Select Apply Changes.
You are the IT administrator for a small corporate network. Several employees have complained of slow internet bandwidth. You have discovered that the user stations on the guest Wi-Fi network are consuming much of your company's bandwidth. You have decided to use pfSense's Traffic Shaper wizard to create the various rules needed to better control the bandwidth usage and to fine-tune the priority for the type of traffic used on your guest Wi-Fi network. Your network has one LAN and one WAN. In this lab, your task is to: Access the pfSense management console:Username: adminPassword: P@ssw0rd (zero) Create a firewall alias using the following specifications:Name: HighBWDescription: High bandwidth usersAssign the IP addresses of the high-bandwidth users to the alias:Vera's IP address: 172.14.1.25Paul's IP address: 172.14.1.100 The Shaper must be configured for the GuestWi-Fi interface using:An upload bandwidth of 5 MbitsA download bandwidth of 45 Mbits Allow your voice over IP traffic to have priority with:An upload bandwidth of 15 MbitsA download bandwidth of 20 Mbits To limit the user stations most likely to hog bandwidth, use the alias created earlier to penalize the offending stations to 2% of the bandwidth. Give a higher priority to the following services and protocols:MSRDPVNCPPTPIPSEC Change the port number used on the floating rule created for MSRDP as follows:Interface: GuestWi-FiDestination Port Range: 3391 Answer the question
In the Username field, enter admin. In the Password field, enter P@ssw0rd (zero). Select SIGN IN or press Enter. From the pfSense menu bar, select Firewall > Aliases. Select Add. Configure the Properties as follows: Name: HighBW Description: High bandwidth users Type: Host(s) Add the IP addresses of the offending computers to the host(s) configuration: Under Host(s), in the IP or FQDN field, enter 172.14.1.25 Select Add Host. In the new IP or FQDN field, enter 172.14.1.100 Select Save. Select Apply Changes. From the pfSense menu bar, select Firewall > Traffic Shaper. Under the Firewall bread crumb, select Wizards. Select traffic_shaper_wizard_dedicated.xml. Under Traffic shaper Wizard, in the Enter number of WAN type connections field, enter 1 and then select Next. Make sure you are on Step 1 of 8. Using the drop-down menu for the upper Local interface, select GuestWi-Fi. Using the drop-down menu for lower Local interface, make sure PRIQ is selected. For the upper Upload field, enter 5. Using the drop-down menu for the lower Upload field, select Mbit/s. For the top Download field, enter 45. Using the drop-down menu for the lower Download field, select Mbit/s. Select Next. Make sure you are on Step 2 of 8. Under Voice over IP, select Enable to prioritize the voice over IP traffic. Under Connection #1 parameters, in the Upload rate field, enter 15. Using the drop-down menu for the top Units, select Mbit/s. For the Download rate, enter 20. Using the drop-down menu for the bottom Units, select Mbit/s. Select Next. Make sure you are on Step 3 of 8. Under Penalty Box, select Enable to enable the penalize IP or alias option. In the Address field, enter HighBW. This is the alias created earlier. For Bandwidth, enter 2. Select Next. Skip steps 4 and 5. For Step 4 of 8, scroll to the bottom and select Next. For Step 5 of 8, scroll to the bottom and select Next. Make sure you are on Step 6 of 8. Under Raise or lower other Applications, select Enable to enable other networking protocols. Under Remote Service / Terminal emulation, use the: MSRDP drop-down menu to select Higher priority. VNC drop-down menu to select Higher priority. Under VPN: Use the PPTP drop-down menu to select Higher priority Use the IPSEC drop-down menu to select Higher priority Scroll to the bottom and select Next. For step 7 of 8, select Finish. Wait for the reload status to indicate that the rules have been created (look for Done). Select Firewall > Rules. Under the Firewall breadcrumb, select Floating. In the top right, select Answer Questions. Answer the question and then minimize the question dialog. For the m_Other MSRDP outbound rule, select the edit icon (pencil). Under Edit Firewall Rule, in the Interface field, select GuestWi-Fi. Under Destination, use the Destination Port Range drop-down menu to select Other. In both Custom fields, enter 3391. Select Save. Select Apply Changes. In the top right, select Answer Questions: 7 For the m_Other MSRDP outbound rule, select the edit icon (pencil). Under Edit Firewall Rule, in the Interface field, select GuestWi-Fi. Under Destination, use the Destination Port Range drop-down menu to select Other. In both Custom fields, enter 3391. Select Save. Select Apply Changes. In the top right, select Answer Questions. Select Score Lab.
You are the IT administrator for a small corporate network. One of your assignments is to manage several computers in the demilitarized zone (DMZ). However, your computer resides on the LAN network. To be able to manage these machines remotely, you have decided to configure your pfSense device to allow several remote control protocols to pass through the pfSense device using NAT port forwarding. In this lab, your task is to create NAT forwarding rules to: Access the pfSense management console:Username: adminPassword: P@ssw0rd (zero) Allow the RDP/TCP Protocols from the LAN network to the administrator's PC located in the DMZ using the following guidelines:IP address for the administrator's PC: 172.16.1.100Description: RDP from LAN to Admin Allow the SSH Protocol through the pfSense device to the Kali Linux server using the following guidelines:IP address for the Linux Kali server: 172.16.1.6Description: SSH from LAN to Kali Allow the RDP/TCP Protocols from the LAN network to the web server located in the DMZ using the following guidelines:Destination and redirect port: Port 5151IP address for the web server: 172.16.1.5Description: RDP from LAN to web server using custom port
In the Username field, enter admin. In the Password field, enter P@ssw0rd (zero). Select SIGN IN or press Enter. From the pfSense menu bar, select Firewall > NAT. Select Add (either one). Configure or verify the following settings: Interface: LAN Protocol: TCP Destination type: LAN address Destination port range (From and To): MS RDP Redirect target IP: 172.16.1.100 Redirect target port: MS RDP Description: RDP from LAN to Admin Select Save. Select Add (either one). Configure or verify the following settings: Interface: LAN Protocol: TCP Destination type: LAN address Destination port range (From and To): SSH Redirect target IP: 172.16.1.6 Redirect target port: SSH Description: SSH from LAN to Kali Select Save. Select Add (either one). Configure or verify the following settings: Interface: LAN Protocol: TCP Destination type: LAN address Destination port range (From and To): Other Custom (From and To) 5151 Redirect target IP: 172.16.1.5 Redirect target port: MS RDP Description: RDP from LAN to web server using custom port Select Save. Select Apply Changes.
You work as the IT security administrator for a small corporate network. You recently placed a web server in the demilitarized zone (DMZ). You need to configure the perimeter firewall on the network security appliance (pfSense) to allow access from the WAN to the Web server in the DMZ using both HTTP and HTTPs. You also want to allow all traffic from the LAN network to the DMZ network. In this lab, your task is to: Access the pfSense management console:Username: adminPassword: P@ssw0rd (zero) Create and configure a firewall rule to pass HTTP traffic from the WAN to the Web server in the DMZ. Create and configure a firewall rule to pass HTTPS traffic from the WAN to the Web server in the DMZ. Use the following table when creating the HTTP and HTTPS firewall rules
In the Username field, enter admin. In the Password field, enter P@ssw0rd (zero). Select SIGN IN or press Enter. From the pfSense menu bar, select Firewall > Rules. Under the Firewall breadcrumb, select DMZ. Select Add (either one). Make sure Action is set to Pass. Under Source, use the drop-down to select WAN net. Under Destination, use the Destination drop-down to select Single host or alias. In the Destination Address field, enter 172.16.1.5. Using the Destination Port Range drop-down, select HTTP (80). Under Extra Options, in the Description field, enter HTTP from WAN to DMZ. Select Save. Select Apply Changes. For the rule just created, select the Copy icon (two files). Under Destination, change the Destination Port Range to HTTPS (443). Under Extra Options, change the Description filed to HTTPS from WAN to DMZ. Select Save. Select Apply Changes. Select Add (either one). Make sure Action is set to Pass. For Protocol, use the drop-down to select Any. Under Source, use the drop-down to select LAN net. Under Destination, use the drop-down to select DMZ net. Under Extra Options, change the Description filed to LAN to DMZ Any. Select Save. Select Apply Changes.
You are the IT administrator for a small corporate network. You want to make a web server that runs services accessible from the internet. To help protect your company, you want to place this server and other devices in a demilitarized zone (DMZ). This DMZ and server need to be protected by the pfSense Security Gateway Appliance (pfSense). Since a few of the other devices in the DMZ require an IP address, you have also decided to enable DHCP on the DMZ network. In this lab, your task is to perform the following: Access the pfSense management console:Username: adminPassword: P@ssw0rd (zero) Add a new pfSense interface that can be used for the DMZ.Name the interface DMZ.Use a static IPv4 address of 172.16.1.1/16 Add a firewall rule for the DMZ interface that allows all traffic from the DMZ.Use a description of Allow DMZ to any rule Configure and enable the DHCP server for the DMZ interface.Use a range of 172.16.1.100 to 172.16.1.200
In the Username field, enter admin. In the Password field, enter P@ssw0rd (zero). Select SIGN IN or press Enter. From the pfSense menu bar, select Interfaces > Assignments. Select Add. Select OPT1. Select Enable interface. Change the Description field to DMZ. Under General Configuration, use the IPv4 Configuration Type drop-down menu to select Static IPv4. Under Static IPv4 Configuration, in the IPv4 Address field, enter 172.16.1.1. Use the subnet mask drop-down menu to select 16. Select Save. Select Apply Changes. (Optional) Verify the change as follows: From the menu bar, select pfsense COMMUNITY EDITION. Under Interfaces, verify that the DMZ is shown with the correct IP address. From the pfSense menu bar, select Firewall > Rules. Under the Firewall breadcrumb, select DMZ. (Notice that no rules have been created.) Under the Firewall breadcrumb, select LAN. Under the Actions column, select the copy icon (two files) for the rule with a source of LAN net. For the Action field, make sure Pass is selected. For the Interface field, use the drop-down menu to select DMZ. For Protocol, make sure it's set to Any. Under Source, use the drop-down menu to select DMZ net. Under Destination, make sure it is configured for any. Under Extra Options, change the description to Allow DMZ to any rule. (Is case sensitive.) Scroll to the bottom and select Save. Select Apply Changes. From the menu bar, select Services > DHCP Server. Under the Services breadcrumb, select DMZ. Select Enable. Configure the Range field as follows: From: 172.16.1.100 To: 172.16.1.200 Scroll to the bottom and select Save.
You have been hired by a small hotel to configure how their guests access the internet. You have chosen to use pfSense's captive portal feature. Guests must pass through this portal to access the internet. In this lab, your task is to: Access the pfSense management console:Username: adminPassword: P@ssw0rd (zero) Add a captive portal zone named Guest_WiFiUse the description Zone used for the guest Wi-Fi Using the GuestWi-Fi interface, configure your portal as follows:Allow a maximum of 100 concurrent connections.Disconnect user from the internet if their connection is inactive for 30 minutes.Disconnect user from the internet after two hours regardless of their activity.Limit user's download and upload to 8000 and 2500 Kbit/s, respectively.Force to pass through your portal prior to authentication. Allow the following MAC and IP address to pass through the portal:MAC: 00:00:1B:12:34:56IP: 198.28.1.100/16Give the IP address the description Admin's Laptop
In the Username field, enter admin. In the Password field, enter P@ssw0rd (zero). Select SIGN IN or press Enter. From the pfSense menu bar, select Services > Captive Portal. Select Add. For Zone name, enter Guest_WiFi. For Zone description, enter Zone used for the guest Wi-Fi. Select Save & Continue. Under Captive Portal Configuration, select Enable. For Interfaces, select GuestWi-Fi. For Maximum concurrent connections, select 100. For Idle timeout, enter 30. For Hard timeout, enter 120. Scroll down and select Per-user bandwidth restriction. For Default download (Kbit/s), enter 8000. For Default upload (Kbit/s), enter 2500. Under Authentication, use the drop-down menu to select None, don't authenticate users. Scroll to the bottom and select Save. From the Captive Portal page, select the Edit Zone icon (pencil). Under the Services breadcrumb, select MACs. Select Add. Make sure the Action field is set to Pass. For Mac Address, enter 00:00:1B:12:34:56. Select Save. Under the Services breadcrumb, select Allowed IP Addresses. Select Add. For IP Address, enter 198.28.1.100. Use the IP address drop-down menu to select 16. This sets the subnet mask to 255.255.0.0. For the Description field, enter Admin's Laptop. Make sure Direction is set to Both. Select Save.
You work as the IT security administrator for a small corporate network. The receptionist uses an iPad to manage employees' schedules and messages. You need to help her secure the iPad because it contains all of the employees' personal information. In this lab, your task is to: View the current iOS version and then answer the applicable question. Apply the latest software update and then answer the applicable question. Configure Auto-Lock with a five-minute delay. Configure Passcode Lock using a passcode of C@sp3r Require the passcode after five minutes. Configure Data Erase to wipe all data after 10 failed passcode attempts. Require unknown networks to be added manually. Turn off Bluetooth.
Select Settings. From the Settings pane, select General. From the General pane, select About. In the top right, select Answer Questions. Answer Question 1. Leave the question dialog open. From the About pane's heading, select General. This returns you to the General settings. From the General pane, select Software Update. Select Download and Install. Select Agree. Select OK. The software is downloaded. Select Install. Slide the arrow to the right to unlock the iPad. Answer Question 2 and then minimize the question dialog. From the Settings pane, select Display & Brightness. From the right pane, select Auto-Lock and then select 5 minutes. From the left menu, select Touch ID & Passcode. From the right pane, select Turn Passcode On. Enter the new passcode of C@sp3r Select Next. Re-enter C@sp3r. Select Done. Scroll down and then slide Erase Data to ON. Select Enable. Select Require Passcode. Select After 5 minutes. From the left menu, select Wi-Fi. Slide Ask to Join Networks to OFF. From the left pane, select Bluetooth. Slide Bluetooth to OFF. In the top right, select Answer Questions. Select Score Lab.
You work as the IT security administrator for a small corporate network. You recently set up the Remote Access VPN feature on your network security appliance to provide you and your fellow administrators with secure access to your network. You are currently at home and would like to connect your iPad to the VPN. Your iPad is connected to your home wireless network. In this lab, your task is to:
Select Settings. Select Wi-Fi. From the left menu, select General. From the right menu, select VPN. Select Add VPN Configuration. Select IPSec. In the Description field, enter CorpNetVPN. In the Server field, enter 198.28.56.34. In the Account field, enter mbrown. In the Secret field, enter asdf1234$. In the upper right, select Save. Under VPN Configuration, slide Not Connected to ON. When prompted, enter L3tM31nN0w (0 = zero) as the password. Select OK.
You are the IT security administrator for a small corporate network. You need to increase the security on the switch in the networking closet. The following table lists the used and unused ports: In this lab, your task is to: Shut down the unused ports. Configure the following Port Security settings for the used ports:Interface Status: LockLearning Mode: Classic LockAction on Violation: Discard
Under Initial Setup, select Configure Port Settings. Select the GE2 port. Scroll down and select Edit. Under Administrative Status, select Down. Scroll down and select Apply. Select Close. With the GE2 port selected, scroll down and select Copy Settings. In the Copy configuration field, enter the remaining unused ports. Select Apply. From the Port Setting Table, in the Port Status column, you can see that all the ports are down now. From the left menu, expand Security. Select Port Security. Select the GE1 port. Scroll down and select Edit. Under Interface Status, select Lock. Under Learning Mode, make sure Classic Lock is selected. Under Action on Violation, make sure Discard is selected. Select Apply. Select Close. Scroll down and select Copy Settings. Enter the remaining used ports Select Apply.