chapters 1-5 labs security
You recognize that the threat of malware is increasing. As such, you would like to use Windows Virus & Threat Protection to protect your computer from malware. In this lab, your task is to enable and configure Windows Virus & Threat Protection as follows: Add a file exclusion for D:\Graphics\cat.jpg. Add a process exclusion for welcome.scr. Locate the current threat definition version number. Answer Question 1. Check for updates. Answer Question 2. Perform a quick scan.
Access the Virus & threat protection options.Right-click Start; then select Settings.Select Update & Security.From the left pane, select Windows Security.Select Virus & threat protection. Add a file exclusion for D:\Graphics\cat.jpg.Under Virus & threat protection settings, select Manage settings.Scroll down to Exclusions and then select Add or remove exclusions.Select Add an exclusion; then select File.From the left pane, browse to and select Data (D:) > Graphics > cat.jpg, and then select Open. Add a process exclusion for welcome.scr.From the Exclusions dialog, select Add an exclusion; then select Process.In the Enter process name field, type welcome.scr; then select Add. Check for protection updates.In the top left, select the back arrow twice to return to the Virus & threat protection page.Scroll down to Virus & threat protection updates and then select Check for updates to access the Protection updates page.In the top right, select Answer Questions.Answer Question 1.Select Check for updates.Answer Question 2. Perform a quick virus scan.In the top left of the Windows Security dialog, select the back arrow to return to the Virus & threat protection page.Select Quick scan.Wait for the scan to complete. Q1What is the current security intelligence version? Q2What is the current security intelligence version after the update?
You have a new laptop that is running Windows 10. You notice a security message that indicates that Windows Firewall has been disabled. The laptop is currently connected to your organization's network, and the Domain network profile settings are in effect. You plan to travel this week, and you will connect the laptop to various airport Wi-Fi hotspots. You need to enable Windows Firewall for any public network. In this lab, your task is to configure Windows Firewall as follows: Turn on Windows Firewall for the Public network profile only. In addition to the programs and ports currently allowed, allow the following service and programs through the firewall for the Public network profile only:A service named Key Management ServiceAn application named Arch98An application named Apconf
Access the Windows Firewall settings.Right-click Start and then select Settings.Select Network & Internet.From the right pane, scroll down and select Windows Firewall. From the Firewall & network protection dialog, under Public network, select Turn on. Allow applications to communicate through the firewall for the Public network only.Select Allow an app through firewall.Select Change settings.For Key Management Service, clear Domain and Private, and then select Public.Select Allow another app to configure an exception for an application not currently allowed through the firewall.Select the application from the list and then select Add.For the newly added application, clear Domain and Private, and then select Public.Repeat steps 3d - 3f for the remaining application. Select OK.
You work as the IT security administrator for a small corporate network. You need to secure access to your pfSense appliance, which is still configured with the default user settings. In this lab, your task is to: Change the password for the default pfSense account from pfsense to P@ssw0rd (use a zero). Create a new administrative user with the following parameters:Username: zolsenPassword: St@yout!Full Name: Zoey OlsenGroup Membership: admins Set a session timeout of 15 minutes for pfSense. Disable the webConfigurator anti-lockout rule for HTTP.
Access the pfSense management console.From the taskbar, select Google Chrome.Maximize the window for better viewing.In the Google Chrome address bar, enter 198.28.56.18 and then press Enter.Enter the pfSense sign-in information as follows:Username: adminPassword: pfsenseSelect SIGN IN. Change the password for the default (admin) account.From the pfSense menu bar, select System > User Manager.For the admin account, under Actions, select the Edit user icon (pencil).For the Password field, change to P@ssw0rd (use a zero).For the Confirm Password field, enter [email protected] to the bottom and select Save. Create and configure a new pfSense user.Select Add.For Username, enter zolsen.For the Password field, enter St@yout!.For the Confirm Password field, enter St@yout!For Full Name, enter Zoey Olsen.For Group Membership, select admins and then select Move to Member of list.Scroll to the bottom and select Save. Set a session timeout for pfSense.Under the System breadcrumb, select Settings.For Session timeout, enter 15.Select Save. Disable the webConfigurator anti-lockout rule for HTTP.From the pfSense menu bar, select System > Advanced.Under webConfigurator, for Protocol, select HTTP.Select Anti-lockout to disable the webConfigurator anti-lockout rule.Scroll to the bottom and select Save.
You are an IT security administrator for a small corporate network. To increase security for the corporate network, you have installed the pfSense network security appliance in your network. Now you need to configure the device. In this lab, your task is to configure pfSense as follows: Sign in to pfSense using the following case-sensitive information:URL: 198.28.56.18Username: adminPassword: pfsense Configure the DNS servers as follows:Primary DNS server: 163.128.78.93 - Hostname: DNS1Secondary DNS server: 163.128.80.93 - Hostname: DNS2 Configure the WAN IPv4 information as follows:Enable the interface.Use a static IPv4 address of 65.86.24.136/8Add a new gateway using the following information:Type: Default gatewayName: WANGatewayIP address: 65.86.1.1
Access the pfSense management console.From the taskbar, select Google Chrome.Maximize the window for better viewing.In the address bar, type 198.28.56.18 and then press Enter.Sign in using the following case-sensitive information:Username: adminPassword: pfsenseSelect SIGN IN or press Enter. Configure the DNS Servers.From the pfSense menu bar, select System > General Setup.Under DNS Server Settings, configure the primary DNS Server as follows:Address: 163.128.78.93Hostname: DNS1Gateway: NoneSelect Add DNS Server to add a secondary DNS Server and then configure it as follows:Address: 163.128.80.93Hostname: DNS2Gateway: NoneScroll to the bottom and select Save. Configure the WAN settings.From pfSense menu bar, select Interfaces > WAN.Under General Configuration, select Enable interface.Use the IPv4 Configuration Type drop-down to select Static IPv4.Under Static IPv4 Configuration, in the IPv4 Address field, enter 65.86.24.136.Use the IPv4 Address subnet drop-down to select 8.Under Static IPv4 Configuration, select Add a new gateway.Configure the gateway settings as follows:Default: Select Default gatewayGateway name: Enter WANGatewayGateway IPv4: 65.86.1.1Select Add.Scroll to the bottom and select Save.Select Apply Changes.
You need to customize how Windows Update checks for and installs updates on the ITAdmin desktop system. In this lab, your task is to: Configure Windows Update to:Install updates for other Microsoft products when Windows is updated.Allow the installation of feature updates to be deferred 60 days.Allow quality updates to be deferred 30 days. Configure Windows to automatically download manufacturers' apps and custom icons for devices.
Configure the Windows Update settings.Right-click Start and then select Settings.Select Update & Security.From the right pane, select Advanced options.Under Update Options, turn on Receive updates for other Microsoft products when you update Windows by sliding the switch to On.Under Choose when updates are installed, configure each option as follows:A feature update includes new capabilities and improvements. It can be deferred for 60 days.A quality update includes security improvements. It can be deferred for this many days: 30Close the Settings window. Configure Windows to automatically download the manufacture's apps and custom icons.In the search field on the Windows taskbar, type Control.From Best match, select Control Panel.Select System and Security.Select System.From the left pane, select Advanced system settings.Select the Hardware tab.Select Device Installation Settings.Select Yes and then select Save Changes.Select OK.
You are the IT security administrator for a small corporate network. You need to increase the security on the switch in the Networking Closet by restricting access management and by updating the switch's firmware. In this lab, your task is to: Create an access profile named MgtAccess and configure it with the following settings:SettingValueAccess Profile NameMgtAccessRule Priority1Management MethodAllActionDenyApplies to InterfaceAllApplies to Source IP addressAll Add a profile rule to the MgtAccess profile with the following settings:SettingValueRule Priority2Management MethodHTTPActionPermitApplies to interfaceAllApplies to Source IP addressUser definedIP Version: Version 4IP Address: 192.168.0.10Network Mask: 255.255.255.0 Set the MgtAccess profile as the active access profile. Save the changes to the switch's startup configuration file using the default settings. Update the firmware image to the latest version by downloading the firmware files found in C:\Sx300_Firmware\Sx300_FW-1.2.7.76.ros.
Create and configure an Access Profile named MgtAccess.From the left pane, expand and select Security > Mgmt Access Method > Access Profiles.Select Add.Enter the Access Profile Name of MgtAccess.Enter the Rule Priority of 1.For Action, select Deny.Select Apply and then select Close. Add a profile rule to the MgtAccess profile.From the left pane, under Security > Mgmt Access Method, select Profile Rules.Select the MgtAccess profile and then select Add.Enter a Rule Priority of 2.For Management Method, select HTTP.For Applies to Source IP Address, select User Defined.For IP Address, enter 192.168.0.10.Enter the 255.255.255.0.Select Apply and then select Close. Set the MgtAccess profile as the active access profile.From the left pane, under Security > Mgmt Access Method, select Access Profiles.Use the Active Access Profile drop-down list to select MgtAccess.Select Apply.Select OK. Save the changes to the switch's startup configuration file.At the top, select Save.For Source File Name, make sure Running configuration is selected.For Destination File Name, make sure Startup configuration is selected.Select Apply.Select OK. Upgrade the firmware image to the latest version.From the left pane, select Getting Started.Under Quick Access, select Upgrade Device Software.For File Name, select Choose File.Browse to and select C:\Sx300_Firmware\Sx300_FW-1.2.7.76.ros.Select Open.Select Apply.Select OK.From the left pane, under File Management, select Active Image.For Active Image After Reboot, use the drop-down menu to select Image 2.Select Apply.From the left pane under Administration, select Reboot.From the right pane, select Reboot.Select OK.
As an IT administrator, you need to know how security breaches are caused. You know that SMAC is used for MAC spoofing, so you are going to spoof your MAC address. In this lab, your task is to complete the following: On Office2, use ipconfig /all and find the IP address and MAC address. Using SMAC, spoof the MAC address on ITAdmin to match that of Office2. Refresh the IP address on ITAdmin. Verify the MAC and IP address now match Office2.
Find the MAC address for Office2.Right-click Start and then select Windows PowerShell (Admin).From the Command Prompt, type ipconfig /all and press Enter.Find the MAC address. Spoof the MAC address.From the top navigation tabs, select Floor 1 Overview.Under IT Administration, select ITAdmin.In the Windows search bar, type SMAC.Under Best match, right-click SMAC and select Run as administrator.In the New Spoofed Mac Address field, type 00:00:55:55:44:15 (the MAC address from Office2).Select Update MAC.Select OK to confirm the adapter restart. Renew the IP information for the ITAdmin computer.Right-click Start and select Windows PowerShell (Admin).From the Command Prompt, type ipconfig /renew to renew the IP address.Type ipconfig /all to confirm the MAC address and the IP address have been updated.
The Fiji router has been configured with Standard IP Access List 11. The access list is applied to the Fa0/0 interface. The access list must allow all traffic except traffic coming from hosts 192.168.1.10 and 192.168.1.12. However, you've noticed that it's preventing all traffic from being sent on Fa0/0. You remember that access lists contain an implied deny any statement. This means that any traffic not permitted by the list is denied. For this reason, access lists should contain at least one permit statement or all traffic is blocked. In this lab, your task is to: Add a permit any statement to Access List 11 to allow all traffic other than the restricted traffic. Save your changes in the startup-config file.
Enter the configuration mode for the Fiji router:From the exhibit, select the Fiji router.From the terminal, press Enter.Type enable and then press Enter.Type config term and then press Enter. From the terminal, add a permit any statement to Access List 11 to allow all traffic other than the restricted traffic.Type access-list 11 permit any and press Enter.Press Ctrl + Z. Save your changes in the startup-config file.Type copy run start and then press Enter.Press Enter to begin building the configuration.Press Enter.
You have a small business network connected to the internet through a single router as shown in the network diagram. You have noticed that three hosts on the internet have been flooding your router with unwanted traffic. As a temporary measure, you want to prevent all communication from these three hosts until the issue is resolved. In this lab, your task is to: Create a Standard Access List 25. Add statements to the access list to block traffic from the following hosts:199.68.111.199202.177.9.1211.55.67.11 Add a statement to allow all other traffic from all other hosts. Apply Access List 25 to the Serial0/0/0 interface to filter incoming traffic.
Enter the configuration mode for the router:From the exhibit, select the router.From the terminal, press Enter.Type enable and then press Enter.Type config term and then press Enter. From the terminal, create a standard numbered access list using number 25. Add statements to the access list to block traffic to the required hosts.Type access-list 25 deny host 199.68.111.199 and press Enter.Type access-list 25 deny host 202.177.9.1 and press Enter.Type access-list 25 deny host 211.55.67.11 and press Enter. From the terminal, add a statement to allow all other traffic from all other hosts, by typing access-list 25 permit any and pressing Enter. From the terminal, apply Access List 25 to the Serial0/0/0 interface to filter incoming traffic.Type int s0/0/0 and press Enter.Type ip access-group 25 in and press Enter.Type Ctrl + Z.
You are in the process of configuring a new router. The router interfaces connect to the following networks: InterfaceNetworkFastEthernet0/0192.168.1.0/24FastEthernet0/1192.168.2.0/24FastEthernet0/1/0192.168.3.0/24 Only Telnet and SSH access from these three networks should be allowed. In this lab, your task is to: Use the access-list command to create a standard numbered access list using number 5. Add a permit statement for each network to the access list. Use the access-class command to apply the access list to VTY lines 0-4. Use the in direction to filter incoming traffic. Save your changes in the startup-config file.
Enter the configuration mode for the router:From the exhibit, select the router.From the terminal, press Enter.Type enable and then press Enter.Type config term and then press Enter. From the terminal, create a standard numbered access list using number 5. Add a permit statement for each network to the access list.Type access-list 5 permit 192.168.1.0 0.0.0.255 and then press Enter.Type access-list 5 permit 192.168.2.0 0.0.0.255 and then press Enter.Type access-list 5 permit 192.168.3.0 0.0.0.255 and then press Enter. Apply the access list to VTY lines 0-4. Filter incoming traffic.Type line vty 0 4 and then press Enter.Type access-class 5 in and then press Enter.Press Ctrl + Z. Save your changes in the startup-config file.Type copy run start and then press Enter.Press Enter to begin building the configuration.Press Enter.
You are the IT security administrator for a small corporate network. You need to increase the networking closet's security by implementing a CCTV system with IP cameras. As part of this task, you need to separate the CCTV data traffic on the network using a separate VLAN on the switch. The patch panel connections for the networking closet, lobby, and IT administration office are installed and ready for use (ports 18-20). A DHCP server is already configured to provide the IP cameras and the laptop in the IT administration office with the correct TCP/IP settings (port 21). For an easier implementation, create the logical VLAN first and then establish the physical connections of the IP cameras and the laptop. In this lab, your task is to perform the following: Access the switch management console from ITAdmin using the following credentials:Address: http://192.168.0.2Username: ITSwitchAdminPassword: Admin$only (the password is case-sensitive) Create and configure a VLAN on the switch as follows:VLAN ID: 2VLAN Name: IPCamerasConfigure ports GE18, GE19, GE20, GE21 as untagged..Port 18 is connected to the network jack next to the laptop in the IT administration office.Port 19 is connected to t
From the ITAdmin computer, log into the CISCO switch.From the taskbar, open Google Chrome.Maximize the window for easier viewing.In the URL field, enter 192.168.0.2 and press Enter.For Username, enter ITSwitchAdmin.For Password, enter Admin$only (password is case-sensitive).Select Log In. Create a VLAN.From the Getting Started pane, under Initial Setup, select Create VLAN.Select Add.For VLAN ID, enter 2.For VLAN Name, enter IPCameras.Select Apply.Select Close. Configure a VLAN.From the left pane, under VLAN Management, select Port to VLAN.From the the VLAN ID equals to drop-down menu, select 2.Select Go.For ports GE18, GE19, GE20, and GE21, select Untagged.Select Apply. Connect the IP camera in the lobby to the VLAN and mount the IP cameras.From the top navigation area, select Floor 1.Under Lobby, select Hardware.Under Shelf, expand CCTV Cameras.Drag the IP Camera (Lobby) to the workspace.Under Workspace for the IP camera, select Back to switch to the back view of the IP camera.Under Shelf, expand Cables and then select a Cat5e Cable, RJ45.Under Selected Component, drag a RJ45 Connector to the RJ-45 port on the IP Camera wall mount plate.From the wall plate's Partial Connections list, drag the other connector to the RJ-45 port on the back of the IP camera.Drag the IP camera to the IP camera wall plate. Connect the IP camera in the networking closet to the VLAN and mount the IP cameras.From the top navigation area, select Floor 1.Under Networking Closet, select Hardware.Under Shelf, expand CCTV Cameras.Drag the IP Camera (Networking Closet) to the workspace.Under Workspace for the IP camera, select Back to switch to the back view of the IP camera.Under Shelf, expand Cables and then select Cat5e Cable, RJ45.Under Selected Component, drag a RJ45 Connector to the RJ-45 port on the IP Camera mount wall plate.Under Selected Component, drag the unconnected RJ45 cable to the RJ-45 port on the back of the IP camera.To mount the IP camera, drag the IP camera to the IP camera wall plate. Connect the DHCP server and laptop to the VLAN.In the networking closet, under Shelf, select a Cat5e Cable, RJ45.Under Selected Component, drag a RJ45 Connector to port 21 on the switch.Under Selected Component, drag the unconnected RJ4
You work as the IT security administrator for a small corporate network in the United States of America. The name of your site is www.corpnet.xyz. The company president has received several questionable emails that he is concerned may be malicious attacks on the company. He has asked you to determine whether the emails are hazardous and to handle them accordingly. In this lab, your task is to: Read each email and determine whether it is legitimate. Delete any emails that are attempts at social engineering. Keep emails that are safe.
From the Inbox of the WebEmail interface, highlight an email. Read and explore the email and determine whether it is a legitimate email. This includes using your mouse to hover over suspicious attachments and links. Take the appropriate action for each email:If the email is an attempt at social engineering, from the menu bar, select Delete.If the email safe, do nothing. Repeat steps 1 through 3 for each email. The following table list the actions you should take for each email Microsoft Windows Update CenterNew Service PackPhishingDelete Joe DavisRe: Lunch Today?Malicious AttachmentDelete Executive RecruitingExecutive JobsWhalingDelete Human ResourcesEthics VideoSafeKeep Online Banking DepartmentPayment PendingPhishingDelete Grandma JacklinFW: FW: FW: Virus Attack WarningHoaxDelete Emily SmithWeb Site UpdateSpear PhishingDelete sara GoodwinWow!!Malicious AttachmentDelete Grandma JacklinFree Airline TicketsHoaxDelete Human ResourcesIMPORTANT NOTICE-Action RequiredSafeKeep Activities CommitteePumpkin ContestSafeKeep Robert WilliamsPresentationSafeKeep
Based on a review of physical security at your office, you have recommended several improvements. Your plan includes installing smart card readers, IP cameras, signs, and an access log book. In this lab, your task is to: Implement your physical security plan by dragging the correct items from the shelf onto the various locations in the building. As you drag the items from the shelf, the possible drop locations are highlighted. To implement your plan, you must: Install two IP security cameras in the appropriate location to record which employees access the key infrastructure. The security cameras should operate over the TCP/IP network. Install the smart card key readers in the appropriate location to control access to key infrastructure. The key card readers should be contactless and record more information than the card's ID. Install a Restricted Access sign on the networking closet door to control access to the infrastructure. Install the visitor log on the lobby desk.
Install the IP security cameras:From the Shelf, expand CCTV Cameras.Drag the IP Security Camera from the shelf to the highlighted circle inside the networking closet.Drag the IP Security Camera from the shelf to the highlighted circle just outside the networking closet. Install the smart card key readers:From the Shelf, expand Door Locks.Drag a smart card reader from the shelf to the highlighted location outside the building's front door.Drag a smart card reader from the shelf to the highlighted location outside the networking closet's door. Install the Restricted Access sign:From the Shelf, expand Restricted Access Signs.Drag the Restricted Access sign from the shelf to the networking closet door. Install the visitor log:From the Shelf, expand Visitor Logs.Drag the visitor log from the shelf to the lobby desk.
You are the IT security administrator for a small corporate network. You need to secure access to your switch, which is still configured with the default settings. In this lab, your task is to: Create a new user account with the following settings:Username: ITSwitchAdminPassword: Admin$only1844User Level: Read/Write Management Access (15) Edit the default user account as follows:Username: ciscoPassword: CLI$only1958User Level: Read-Only CLI Access (1) Save the changes to the switch's startup configuration file.
Log in to the CISCO switch.From the taskbar, select Google Chrome.In the URL field, enter 192.168.0.2 and press Enter.Maximize the window for easier viewing.In the Username and Password fields, enter cisco (case sensitive).Select Log In. Create a new user account.From Getting Started under Quick Access, select Change Device Password.Select Add.For the username, enter ITSwitchAdmin (case sensitive).For the password, enter Admin$only1844 (case sensitive).For Confirm Password, enter Admin$only1844.For User Level, make sure Read/Write Management Access (15) is selected.Select Apply.Select Close. Edit the default user account.Under User Account Table, select cisco (the default user) and then select Edit.For the password, enter CLI$only1958.For Confirm Password, enter CLI$only1958.For User Level, select Read-Only CLI Access (1).Select Apply. Save the changes to the switch's startup configuration file.From the top of the switch window, select Save.Under Source File Name, make sure Running configuration is selected.Under Destination File Name, make sure Startup configuration is selected.Select Apply.Select OK.Select Done.
Confidential personnel data is stored on the CorpFiles file server in a shared directory named Personnel. You need to configure NTFS permissions for this folder so that only managers are authorized to access it. In this lab, your task is to perform the following: Grant the Managers group the Full Control permission to the D:\Personnel folder. Remove all inherited permissions that are flowing to the D:\Personnel folder.
Open the Data (D:) drive.From the Windows taskbar, select File Explorer.From the left pane, expand and select This PC > Data (D:). Configure NTFS permissions.From the right pane, right-click Personnel and select Properties.Select the Security tab.Select Edit.Select Add.Enter Managers as the group that will receive permission to the folder.Click OK.With the Managers group selected, select the appropriate Full control.Click OK. Prevent inherited permissions from parent.On the Security tab, select Advanced.Select Disable inheritance.Select Remove all inherited permissions from this object.Click OK to close the Advanced Security Settings for Personnel dialog.Click OK to close the Properties dialog.
There are two groups of users who access the CorpFiles server, Marketing and Research. Each group has a corresponding folder: D:\Marketing Data D:\Research Data In this lab, your task is to: Disable permissions inheritance for D:\Marketing Data and D:\Research Data and convert the existing permissions to explicit permissions. For each of the above folders, remove the Users group from the access control list (ACL). Add the Marketing group to the Marketing Data folder ACL. Add the Research group to the Research Data folder ACL. Assign the groups Full Control to their respective folders. Do not change any other permissions assigned to other users or groups.
Open the Data (D:) drive.From the Windows taskbar, select File Explorer.From the left pane, expand and select This PC > Data (D:). Disable inheritance and convert inherited permissions to explicit permissions.From the right pane, right-click the applicable folder and then select Properties.Select the Security tab.Select Advanced to modify inherited permissions.Select Disable inheritance to prevent inherited permissions.Select Convert inherited permissions into explicit permissions on this object. Remove the Users group from the access control list.In Permission entries, select Users.Select Remove to remove the group from the access control list.Select OK. Add a new group to the access control list and allow Full Control.Select Edit to add a group to the access control list.Select Add.Enter the name of the group you want to add and then select Check Names.Select OK.With the newly added group selected, under the Allow column, select Full control and then select OK.Select OK to close the properties dialog. Repeat steps 2 - 4 to modify the permissions for the additional folder.
You work as the IT security administrator for a small corporate network. You recently placed a web server in the demilitarized zone (DMZ). You need to configure the perimeter firewall on the network security appliance (pfSense) to allow access from the WAN to the Web server in the DMZ using both HTTP and HTTPs. You also want to allow all traffic from the LAN network to the DMZ network. In this lab, your task is to: Access the pfSense management console:Username: adminPassword: P@ssw0rd (zero) Create and configure a firewall rule to pass HTTP traffic from the WAN to the Web server in the DMZ. Create and configure a firewall rule to pass HTTPS traffic from the WAN to the Web server in the DMZ.Use the following table when creating the HTTP and HTTPS firewall rules:ParameterSettingSourceWAN networkDestination port/serviceHTTP (80), HTTPS (443)DestinationA single hostIP address for host172.16.1.5DescriptionsFor HTTP: HTTP from WAN to DMZFor HTTPS: HTTPS from WAN to DMZ Create and configure a firewall rule to pass all traffic from the LAN network to the DMZ network. Use the description LAN to DMZ Any.
Sign in to the pfSense management console.In the Username field, enter admin.In the Password field, enter P@ssw0rd (zero).Select SIGN IN or press Enter. Create and configure a firewall rule to pass HTTP traffic from the WAN to the Web server in the DMZ.From the pfSense menu bar, select Firewall > Rules.Under the Firewall breadcrumb, select DMZ.Select Add (either one).Make sure Action is set to Pass.Under Source, use the drop-down to select WAN net.Under Destination, use the Destination drop-down to select Single host or alias.In the Destination Address field, enter 172.16.1.5.Using the Destination Port Range drop-down, select HTTP (80).Under Extra Options, in the Description field, enter HTTP from WAN to DMZ.Select Save.Select Apply Changes. Create and configure a firewall rule to pass HTTPS traffic from the WAN to the Web server in the DMZ.For the rule just created, select the Copy icon (two files).Under Destination, change the Destination Port Range to HTTPS (443).Under Extra Options, change the Description field to HTTPS from WAN to DMZ.Select Save.Select Apply Changes. Create and configure a firewall rule to pass all traffic from the LAN network to the DMZ network.Select Add (either one).Make sure Action is set to Pass.For Protocol, use the drop-down to select Any.Under Source, use the drop-down to select LAN net.Under Destination, use the drop-down to select DMZ net.Under Extra Options, change the Description field to LAN to DMZ Any.Select Save.Select Apply Changes.
You are the IT administrator for a small corporate network. One of your assignments is to manage several computers in the demilitarized zone (DMZ or screened subnet). However, your computer resides on the LAN network. To be able to manage these machines remotely, you have decided to configure your pfSense device to allow several remote control protocols to pass through the pfSense device using NAT port forwarding. In this lab, your task is to create NAT forwarding rules: Access the pfSense management console:Username: adminPassword: P@ssw0rd (zero) Allow the RDP/TCP Protocols from the LAN network to the PC1 computer located in the DMZ using the following:IP address for PC1: 172.16.1.100Description: RDP from LAN to PC1 Allow the SSH Protocol through the from the LAN network to the Kali Linux server located in the DMZ using the following:IP address for the Linux Kali server: 172.16.1.6Description: SSH from LAN to Kali Allow the RDP/TCP Protocols from the LAN network to the web server located in the DMZ using the following:Destination and redirect port: Port 5151IP address for the web server: 172.16.1.5Description: RDP from LAN to web server using custom port
Sign into the pfSense management console.In the Username field, enter admin.In the Password field, enter P@ssw0rd (zero).Select SIGN IN or press Enter. Configure NAT port forwarding for the PC1 computer.From the pfSense menu bar, select Firewall > NAT.Select Add (either one).Configure or verify the following settings:Interface: LANProtocol: TCPDestination type: LAN addressDestination port range (From and To): MS RDPRedirect target IP: 172.16.1.100Redirect target port: MS RDPDescription: RDP from LAN to PC1Select Save. Configure NAT port forwarding for the Kali Linux server.Select Add (either one).Configure or verify the following settings:Interface: LANProtocol: TCPDestination type: LAN addressDestination port range (From and To): SSHRedirect target IP: 172.16.1.6Redirect target port: SSHDescription: SSH from LAN to KaliSelect Save. Configure NAT port forwarding for the web server.Select Add (either one).Configure or verify the following settings:Interface: LANProtocol: TCPDestination type: LAN addressDestination port range (From and To): OtherCustom (From and To) 5151Redirect target IP: 172.16.1.5Redirect target port: MS RDPDescription: RDP from LAN to web server using custom portSelect Save.Select Apply Changes.
You are the IT administrator for a small corporate network. You want to make a web server that runs services accessible from the internet. To help protect your company, you want to place this server and other devices in a demilitarized zone (DMZ). This DMZ and server need to be protected by the pfSense Security Gateway Appliance (pfSense). Since a few of the other devices in the DMZ require an IP address, you have also decided to enable DHCP on the DMZ network. In this lab, your task is to perform the following: Access the pfSense management console:Username: adminPassword: P@ssw0rd (zero) Add a new pfSense interface that can be used for the DMZ.Name the interface DMZ.Use a static IPv4 address of 172.16.1.1/16 Add a firewall rule for the DMZ interface that allows all traffic from the DMZ.Use a description of Allow DMZ to any rule Configure and enable the DHCP server for the DMZ interface.Use a range of 172.16.1.100 to 172.16.1.200
Sign into the pfSense management console.In the Username field, enter admin.In the Password field, enter P@ssw0rd (zero).Select SIGN IN or press Enter. Configure an interface for the DMZ.From the pfSense menu bar, select Interfaces > Assignments.Select Add.Select OPT1.Select Enable interface.Change the Description field to DMZ.Under General Configuration, use the IPv4 Configuration Type drop-down menu to select Static IPv4.Under Static IPv4 Configuration, in the IPv4 Address field, enter 172.16.1.1.Use the subnet mask drop-down menu to select 16.Select Save.Select Apply Changes.(Optional) Verify the change as follows:From the menu bar, select pfsense COMMUNITY EDITION.Under Interfaces, verify that the DMZ is shown with the correct IP address. Add a firewall rule to the DMZ interface.From the pfSense menu bar, select Firewall > Rules.Under the Firewall breadcrumb, select DMZ. (Notice that no rules have been created.)Under the Firewall breadcrumb, select LAN.Under the Actions column, select the copy icon (two files) for the rule with a source of LAN net.For the Action field, make sure Pass is selected.For the Interface field, use the drop-down menu to select DMZ.For Protocol, make sure it's set to Any.Under Source, use the drop-down menu to select DMZ net.Under Destination, make sure it is configured for any.Under Extra Options, change the description to Allow DMZ to any rule. (Is case sensitive.)Scroll to the bottom and select Save.Select Apply Changes. Configure pfSense's DHCP server for the DMZ interface.From the menu bar, select Services > DHCP Server.Under the Services breadcrumb, select DMZ.Select Enable.Configure the Range field as follows:From: 172.16.1.100To: 172.16.1.200Scroll to the bottom and select Save.
You are the security analyst for a small corporate network. After monitoring your network, you have discovered that several employees are wasting time visiting non-productive and potentially malicious websites. As such, you have added pfBlockerNG to your pfSense device. You now need to configure this feature and add the required firewall rules that allow/block specific URLs and prevent all DNS traffic from leaving your LAN network. In this lab, your task is to: Sign in to pfSense using:Username: adminPassword: P@ssw0rd (zero) Create a firewall rule that blocks all DNS traffic leaving the LAN network. Create a firewall rule that allows all DNS traffic going to the LAN network. Use the following table for the two rules: ParameterSettingProtocolUDP (53)DescriptionsFor the block rule: Block DNS from LANFor the allow rule: Allow all DNS to LAN Arrange the firewall rules in the order that allows them to function properly. Enable and configure pfBlockerNG using the information in the following table: ParameterSettingDNSBL Virtual IP192.168.0.0Top-Level Domain (TLD) Blacklistfinancereports.cototalpad.comsalesscript.infoTop-Level Domain (TLD) Whitelist.www.google.com.play.google.com.drive.google.
Sign into the pfSense management console.In the Username field, enter admin.In the Password field, enter P@ssw0rd (zero).Select SIGN IN or press Enter. Create a firewall rule that blocks all DNS traffic coming from the LAN.From the pfSense menu bar, select Firewall > Rules.Under the Firewall breadcrumb, select LAN.Select Add (either one).Under Edit Firewall Rule, use the Action drop-down to select Block.Under Edit Firewall Rule, set Protocol to UDP.Under Source, use the drop-down menu to select LAN net.Under Destination, configure the Destination Port Range to use DNS (53) (for From and To).Under Extra Options, in the Description field, enter Block DNS from LAN.Select Save.Select Apply Changes. Create a firewall rule that allows all DNS traffic going to the LAN network.Select Add (either one).Under Edit Firewall Rule, set Protocol to UDP.Under Destination, use the drop-down menu to select LAN net.Configure the Destination Port Range to use DNS (53) (for From and To).Under Extra Options, in the Description field, enter Allow all DNS to LAN.Select Save.Select Apply Changes. Arrange the firewall rules in the order that allows them to function properly.Using drag-and-drop, move the rules to the following order (top to bottom):Anti-Lockout RuleAllow all DNS to LANBlock DNS from LANIn the simulated version of pfSense, you can only drag and drop the rules you created. You cannot drag and drop the default rule.Select Save.Select Apply Changes. Enable pfBlockerNG.From the pfSense menu bar, select Firewall > pfBlockerNG.Under General Settings, select Enable pfBlockerNG.Scroll to the bottom and select Save. Enable and configure DNS block lists.Under the Firewall breadcrumb, select DNSBL.Select Enable DNSBL.For DNSBL Virtual IP, enter 192.168.0.0.Scroll to the bottom and expand TLD Blacklist.Enter the following URLs in the TLD Blacklist box:financereports.cototalpad.comsalesscript.infoExpand TLD Whitelist and then enter the following URLs:.www.google.com.play.google.com.drive.google.comSelect Save.
You are the IT administrator for a small corporate network. Several employees have complained of slow internet bandwidth. You have discovered that the user stations on the guest Wi-Fi network are consuming much of your company's bandwidth. You have decided to use pfSense's Traffic Shaper wizard to create the various rules needed to better control the bandwidth usage and to fine-tune the priority for the type of traffic used on your guest Wi-Fi network. Your network has one LAN and one WAN. In this lab, your task is to: Access the pfSense management console:Username: adminPassword: P@ssw0rd (zero) Create a firewall alias using the following specifications:Name: HighBWDescription: High bandwidth usersAssign the IP addresses of the high-bandwidth users to the alias:Vera's IP address: 172.14.1.25Paul's IP address: 172.14.1.100 The Shaper must be configured for the GuestWi-Fi interface using:An upload bandwidth of 5 MbitsA download bandwidth of 45 Mbits Allow your voice over IP traffic to have priority with:An upload bandwidth of 15 MbitsA download bandwidth of 20 Mbits To limit the user stations most likely to hog bandwidth, use the alias created earlier to penalize the offending stations to
Sign into the pfSense management console.In the Username field, enter admin.In the Password field, enter P@ssw0rd (zero).Select SIGN IN or press Enter. Create a high bandwidth usage alias.From the pfSense menu bar, select Firewall > Aliases.Select Add.Configure the Properties as follows:Name: HighBWDescription: High bandwidth usersType: Host(s)Add the IP addresses of the offending computers to the host(s) configuration:Under Host(s), in the IP or FQDN field, enter 172.14.1.25Select Add Host.In the new IP or FQDN field, enter 172.14.1.100Select Save.Select Apply Changes. Start the Traffic Shaper wizard for dedicated links.From the pfSense menu bar, select Firewall > Traffic Shaper.Under the Firewall bread crumb, select Wizards.Select traffic_shaper_wizard_dedicated.xml.Under Traffic shaper Wizard, in the Enter number of WAN type connections field, enter 1 and then select Next. Configure the Traffic Shaper.Make sure you are on Step 1 of 8.Using the drop-down menu for the upper Local interface, select GuestWi-Fi.Using the drop-down menu for lower Local interface, make sure PRIQ is selected.For the upper Upload field, enter 5.Using the drop-down menu for the lower Upload field, select Mbit/s.For the top Download field, enter 45.Using the drop-down menu for the lower Download field, select Mbit/s.Select Next. Prioritize voice over IP traffic.Make sure you are on Step 2 of 8.Under Voice over IP, select Enable to prioritize the voice over IP traffic.Under Connection #1 parameters, in the Upload rate field, enter 15.Using the drop-down menu for the top Units, select Mbit/s.For the Download rate, enter 20.Using the drop-down menu for the bottom Units, select Mbit/s.Select Next. Enable and configure a penalty box.Make sure you are on Step 3 of 8.Under Penalty Box, select Enable to enable the penalize IP or alias option.In the Address field, enter HighBW. This is the alias created earlier.For Bandwidth, enter 2.Select Next. Skip steps 4 and 5.For Step 4 of 8, scroll to the bottom and select Next.For Step 5 of 8, scroll to the bottom and select Next. Raise and lower the applicable application's priority.Make sure you are on Step 6 of 8.Under Raise or lower other Applications, select Enable to enable other networking prot
You work as the IT security administrator for a small corporate network. Occasionally, you and your co-administrators need to access internal resources when you are away from the office. You would like to set up a Remote Access VPN using pfSense to allow secure access. In this lab, your task is to use the pfSense wizard to create and configure an OpenVPN Remote Access server using the following guidelines: Sign in to pfSense using:Username: adminPassword: P@ssw0rd (zero) Create a new certificate authority certificate using the following settings:Name: CorpNet-CACountry Code: GBState: CambridgeshireCity: WoodwaltonOrganization: CorpNet Create a new server certificate using the following settings:Name: CorpNetCountry Code: GBState: CambridgeshireCity: Woodwalton Configure the VPN server using the following settings:Interface: WANProtocol: UDP on IPv4 onlyDescription: CorpNet-VPNTunnel network IP: 198.28.20.0/24Local network IP: 198.28.56.18/24Concurrent Connections: 4DNS Server 1: 198.28.56.1 Configure the following:A firewall ruleAn OpenVPN rule Set the OpenVPN server just created to Remote Access (User Auth). Create and configure the following standard remote VPN users:UsernamePasswordFu
Sign into the pfSense management console.In the Username field, enter admin.In the Password field, enter P@ssw0rd (zero).Select SIGN IN or press Enter. Start the VPN wizard and select the authentication backend type.From the pfSense menu bar, select VPN > OpenVPN.From the breadcrumb, select Wizards.Under Select an Authentication Backend Type, make sure Local User Access is selected.Select Next. Create a new certificate authority certificate.For Descriptive Name, enter CorpNet-CA.For Country Code, enter GB.For State, enter Cambridgeshire.For City, enter Woodwalton.For Organization, enter CorpNet.Select Add new CA. Create a new server certificate.For Descriptive Name, enter CorpNet.Verify that all of the previous changes (Country Code, State/Providence, and City) are the same.Use all other default settings.Select Create new Certificate. Configure the VPN server.Under General OpenVPN Server Information:Use the Interface drop-down menu to select WAN.Verify that the Protocol is set to UDP on IPv4 only.For Description, enter CorpNet-VPN.Under Tunnel Settings:For Tunnel Network, enter 198.28.20.0/24.For Local Network, enter 198.28.56.18/24.For Concurrent Connections, enter 4.Under Client Settings, in DNS Server1, enter 198.28.56.1.Select Next. Configure the firewall rules.Under Traffic from clients to server, select Firewall Rule.Under Traffic from clients through VPN, select OpenVPN rule.Select Next.Select Finish. Set the OpenVPN server just created to Remote Access (User Auth).For the WAN interface, select the Edit Server icon (pencil).For Server mode, use the drop-down and select Remote Access (User Auth).Scroll to the bottom and select Save. Configure the following Standard VPN users.From the pfSense menu bar, select System > User Manager.Select Add.Configure the User Properties as follows:Username: UsernamePassword: PasswordFull name: FullnameScroll to the bottom and select Save.Repeat steps 8b-8d to created the remaining VPN users.
You are the IT security administrator for a small corporate network. You need to increase the security on the switch in the networking closet. The following table lists the used and unused ports: Unused PortsUsed PortsGE2GE7GE9-GE20GE25GE27-GE28GE1GE3-GE6GE8GE21-GE24GE26 In this lab, your task is to: Shut down the unused ports. Configure the following Port Security settings for the used ports:Interface Status: LockLearning Mode: Classic LockAction on Violation: Discard
Unused PortsGE2GE7GE9-GE20GE25GE27-GE28 Used PortsGE1GE3-GE6GE8GE21-GE24GE26 Shut down the unused ports.Under Initial Setup, select Configure Port Settings.Select the GE2 port.Scroll down and select Edit.Under Administrative Status, select Down.Scroll down and select Apply.Select Close.With the GE2 port selected, scroll down and select Copy Settings.In the Copy configuration field, enter the remaining unused ports.Select Apply.From the Port Setting Table, in the Port Status column, you can see that all the ports are down now. Configure the Port Security settings.From the left menu, expand Security.Select Port Security.Select the GE1 port.Scroll down and select Edit.Under Interface Status, select Lock.Under Learning Mode, make sure Classic Lock is selected.Under Action on Violation, make sure Discard is selected.Select Apply.Select Close.Scroll down and select Copy Settings.Enter the remaining used portsSelect Apply.
You work as the IT security administrator for a small corporate network. You recently set up the Remote Access VPN feature on your network security appliance to provide you and your fellow administrators with secure access to your network. You are currently at home and would like to connect your iPad to the VPN. Your iPad is connected to your home wireless network. In this lab, your task is to: Add an IPSec VPN connection using the following values:This can be added by selecting Settings > General > VPN.ParameterValueDescriptionCorpNetVPNServer198.28.56.34AccountmbrownSecretasdf1234$ Turn on the VPN. Verify that a connection is established. The password for mbrown is L3tM31nN0w (0 = zero).
Verify your connection to the Home-Wireless network.Select Settings.Select Wi-Fi.From the right, notice that you are connected to the Home-Wireless network. Add and configure a VPN.From the left menu, select General.From the right menu, select VPN.Select Add VPN Configuration.Select IPSec.Configure the IPSec options as follows:Description: CorpNetVPN.Server: 198.28.56.34Account: mbrownSecret: asdf1234$In the upper right, select Save. Connect to the VPN just created.Under VPN Configuration, slide Not Connected to ON.When prompted, enter L3tM31nN0w (0 = zero) as the password.Select OK.
You are the IT security administrator for a small corporate network. You need to increase the security on the switch in the Networking Closet by creating an access control list. You have been asked to prevent video game consoles from connecting to the switch. In this lab, your task is to: Create a MAC-based ACL named GameConsoles. Configure the GameConsoles MAC-based access control entry (ACE) settings as follows:PriorityActionDestinationMAC AddressSource MAC Address1DenyAnyValue: 00041F111111Mask: 0000001111112DenyAnyValue: 005042111111Mask: 0000001111113DenyAnyValue: 000D3A111111Mask: 0000001111114DenyAnyValue: 001315111111Mask: 0000001111115DenyAnyValue: 0009BF111111Mask: 0000001111116DenyAnyValue: 00125A111111Mask: 000000111111 Bind the GameConsoles ACL to all of the GE1-GE30 interfaces.Use Copy Settings to apply the binding to multiple interfaces Save the changes to the switch's startup configuration file. Use the default settings.
reate the GameConsoles ACL.From the Getting Started page, under Quick Access, select Create MAC-Based ACL.Select Add.In the ACL Name field, enter GameConsolesClick Apply and then click Close. Create MAC-based access control.Select MAC-Based ACE Table.Select Add.Enter the priority.Select the action.For Destination MAC Address, make sure Any is selected.For Source MAC Address, select User Defined.Enter the source MAC address value.Enter the source MAC address mask.Click Apply.Repeat steps 2c-2i for additional ACE entries.Click Close. Bind the GameConsoles ACL to all of the interfaces.From the left pane, under Access Control, select ACL Binding (Port).Select GE1.At the bottom of the window, select Edit.Click Select MAC-Based ACL.Select Apply and then select Close.Select Copy Settings.In the Copy configuration's to field, enter 2-30.Click Apply. Save the Configuration.From the top of the window, select Save.Under Source File Name, make sure Running configuration is selected.Under Destination File Name, make sure Startup configuration is selected.Click Apply.Click OK.