http://ocw.cs.pub.ro/courses/ 2026-05-15T02:36:45+03:00 http://ocw.cs.pub.ro/courses/ http://ocw.cs.pub.ro/courses/lib/tpl/arctic/images/favicon.ico text/html 2015-02-26T17:47:46+03:00 http://ocw.cs.pub.ro/courses/sred/2014?rev=1424965666&do=diff Orar laborator * Joi, 16:00 - 18:00, sala ED011 * Joi, 20:00 - 22:00, sala ED011 Regulament curs * La curs nu este permisă utilizarea laptopurilor de către studenți. Regulament laborator * Laboratorul se desfășoară pe semigrupe. O semigrupă este formată din cel mult 16 studenți. Nu se poate face suplimentarea locurilor. * Laboratoarele nu se pot reface. Punctajul maxim se obține cu 1000 de puncte. * Fiecare laborator este punctat cu maxim 100 de puncte. * Este permisă o înt… text/html 2013-02-10T13:13:30+03:00 http://ocw.cs.pub.ro/courses/sred/courses?rev=1360494810&do=diff courses index text/html 2022-10-28T14:21:06+03:00 http://ocw.cs.pub.ro/courses/sred/lab3?rev=1666956066&do=diff Setup Story After a period of time, our company managed to have some income and decided to invest it in security equipment, a license for a Cisco Firepower Threat Defense (known as FTD). In the first day, as expected, there is need to setup the virtual machine and create a simple topology with the server connected in Outside zone and client area in Inside one. text/html 2022-11-18T15:15:16+03:00 http://ocw.cs.pub.ro/courses/sred/lab5?rev=1668777316&do=diff Setup Story After gaining some experience with Cisco Firepower, our company decided to test a firewall product from a different vendor: Fortinet, called FortiGate. It will be used firstly to create simple configs (like the ones did on lab3): create the qemu image path, the node on eve-ng, and deploy the machine, configure the interfaces and policy rules between interfaces. text/html 2022-11-25T13:43:25+03:00 http://ocw.cs.pub.ro/courses/sred/lab6?rev=1669376605&do=diff Setup On the last lab, remember that we used a licensed Forti VM (used for a maximum of 1 vCPU and 2 GB RAM) with Internet access, with a lic that gets invalidated after few minutes. user@host:# ssh -l root $YOUR_EVE_NG_IP # default passwd is student root@SRED:~# df -h | grep SRED--vg /dev/mapper/SRED--vg-root 67G 52G 12G 83% / # if you have more than 60G used, delete old labs from eveng webui # (for each node you create, there are new qcow2 files using the based ones) text/html 2022-12-16T15:37:41+03:00 http://ocw.cs.pub.ro/courses/sred/lab7?rev=1671197861&do=diff Setup Story After a period of time, we finally managed to open a new branch in a different city that is also using a FortiGate device for network protection. We just need to create an IPsec tunnel to mutual connect branches using different configurations (dialup user vs. static ip, aggresive mode vs. main). We are going to start with a single tunnel, then create a backup one (using a secondary network connection). text/html 2022-12-16T19:18:38+03:00 http://ocw.cs.pub.ro/courses/sred/lab8?rev=1671211118&do=diff Setup Story After setting virtual domains on FGT device, we decided to also implement high availability (HA) on 2 machines in Active-Active mode. For this, we require to deploy a new node on the current topology and 2 switches for connecting the existing endpoints. text/html 2023-01-13T17:04:01+03:00 http://ocw.cs.pub.ro/courses/sred/lab9?rev=1673622241&do=diff Setup Story After configuring HA between the two available firewalls, we decided for our employees to offer them remote access (work from home). This will be possible using SSL-VPN feature and an authentication profile using 1FA (we can also configure 2FA, but due to limited budget, we do not have this part available). text/html 2021-11-29T14:02:45+03:00 http://ocw.cs.pub.ro/courses/sred/lab11?rev=1638187365&do=diff text/html 2022-11-11T13:52:23+03:00 http://ocw.cs.pub.ro/courses/sred/labextraftd?rev=1668167543&do=diff Story Our company is still using the FTD for connecting and protecting the 2 branches (with client1 and client2) to the Internet. Also, it wants to implement the full pipeline of security policies, starting with ssl decryption (for inspecting traffic using custom CAs), then continuing with security intelligence (for blocking IPs and URLs before reaching the access rules), and in the end the access rules for IPS on balanced level, different applications to be blocked, and URL categories that hav… text/html 2022-10-14T23:55:08+03:00 http://ocw.cs.pub.ro/courses/sred/laborator_1._acl?rev=1665780908&do=diff Setup Story In an imaginary scenario, our company is at the beginning and has few money to invest in infrastructure. We have a HQ with 1 Linux machine serving as the web server and 2 branches represented with 1 client per each one. The routing between them is done using a Cisco router and minimum filtering provided by ACLs. text/html 2022-10-30T20:53:58+03:00 http://ocw.cs.pub.ro/courses/sred/laborator_2._cbac_and_zbf?rev=1667156038&do=diff Setup Story In our basic topology scenario, due to small budget our company still uses the old Cisco equipment for routing and filtering, but this time the second branch closed and added instead a visitor network (may be used by people that come at interview). After seeing some attacks done in our internal network like DoS, we decided to test different approaches: started with TCP intercept, continuing with CBAC and in the end implemented successfully a better security solution - zone based fi… text/html 2022-11-04T14:40:57+03:00 http://ocw.cs.pub.ro/courses/sred/laborator_3._dedicated_firewall_security?rev=1667565657&do=diff Setup Story After deploying and configuring successfully the FTD and creating a basic topology with just 1 internal client, we decided to create another internal zone called internal2 for a secondary branch. Moreover, we studied in depth some features of FTD and decided to apply them in our secured network: text/html 2024-10-22T18:34:23+03:00 http://ocw.cs.pub.ro/courses/sred/milestone_1?rev=1729611263&do=diff The final topology for the entire project should look like the one found below: For the first milestone we are going to work only with the first 2 branches (Bucharest and IT), the DMZ area (where servers are found), and the router. Week 1 In the first week, let's start with a simpler topology: text/html 2025-01-14T17:56:38+03:00 http://ocw.cs.pub.ro/courses/sred/milestone_2?rev=1736870198&do=diff Starting with week 3, we are going to work with pfSense, an open source firewall with documentation that can be consulted here. Topology we are going to use this week: 1. Download the iso.gz file: <https://www.pfsense.org/download/> (latest version tested 2.6) text/html 2024-01-19T20:17:56+03:00 http://ocw.cs.pub.ro/courses/sred/milestone_3?rev=1705688276&do=diff This milestone we are going to work with VPN on pfsense, remote access and site-to-site VPN types. <https://superuser.com/a/1391940><https://docs.netgate.com/pfsense/en/latest/config/advanced-admin.html#login-protection> For configuring remote access vpn (RA-VPN) using openvpn, the following steps need to be done: text/html 2020-11-14T21:57:03+03:00 http://ocw.cs.pub.ro/courses/sred/setup_lab?rev=1605383823&do=diff Setup lab Cisco (OLD - GNS3 - 2019) See here the required files for creating on your machines the topologies found in labs (you need to be enrolled on course for accessing them). Folder Tools contains: * GNS3 installer (version 2.2.0). After installation, access the application and choose for setup wizard: 'Run appliances on my local computer' and leave for default configuration for server path, IP (localhost) and TCP port (3080). For configuring your profile, add new machines etc., access… text/html 2024-10-29T19:18:59+03:00 http://ocw.cs.pub.ro/courses/sred/setup_lab_on-premise?rev=1730222339&do=diff If you want to install on your local host/own server/cloud this eve-ng machine, you can look over the next steps to make sure the process is done corectly. Download here the iso file eve-ng free edition, then in vmware workstation/vmware esx create a new VM with the following configuration: text/html 2024-12-03T19:53:31+03:00 http://ocw.cs.pub.ro/courses/sred/setup_lab_openstack?rev=1733248411&do=diff To create a new eve-ng instance on Openstack infrastructure: 1. Login to Openstack via <https://cloud.grid.pub.ro/> using login upb (same steps used for login to curs upb). You should be alreayd included in sred_prj (in case you do not have access, please contact @horia.stoenescu via Teams). text/html 2023-10-14T13:50:27+03:00 http://ocw.cs.pub.ro/courses/sred/setup_lab_remote?rev=1697280627&do=diff Host VPN connection For remote connection to lab machines, we are going to use GlobalProtect or GP (the vpn client developed by Palo Alto Networks). 1 A). In case you have on your host Windows/MacOS installed: from any browser go to portal address vpn.upb.exam.live (!!do not ping it!!, it does not respond to icmp-echo requests), login in the new window with student credentials and download the agent for your OS - Windows or MacOS (win 32b, win 64b or macos 32/64b). text/html 2024-11-29T10:53:10+03:00 http://ocw.cs.pub.ro/courses/sred/sidebar?rev=1732870390&do=diff * Setup lab Openstack * Eve-ng cloud setup * Eve-ng on-premise setup * Setup lab Cisco (OLD - GNS3 - 2019) * Milestone 1 * Milestone 2 * Milestone 3 Cookbooks: * EVE-NG 5.3 * pfsense courses index See them on course page lectures index labs index info index