Differences
This shows you the differences between two versions of the page.
|
sred:milestone_1 [2023/10/20 15:59] horia.stoenescu created |
sred:milestone_1 [2024/10/22 18:34] (current) horia.stoenescu Updated for 2024 |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| ========== Milestone 1 ========== | ========== Milestone 1 ========== | ||
| - | The final topology for the entire project is the one from below: | + | The final topology for the entire project should look like the one found below: |
| - | {{:sred:sred-topologie_proiect.png?1000|}} | + | {{:sred:sred-topologie_proiect.png?750|}} |
| - | For the ''first milestone'' (that is between 20th Oct - 4th Nov 2023) we are going to work only with the first 2 branches (Bucharest and IT), the DMZ area (where servers are found), and the router. | + | For the ''first milestone'' we are going to work only with the first 2 branches (Bucharest and IT), the DMZ area (where servers are found), and the router. |
| ===== Week 1 ===== | ===== Week 1 ===== | ||
| Line 11: | Line 11: | ||
| {{:sred:sred_topology_lab2.png?750}} | {{:sred:sred_topology_lab2.png?750}} | ||
| + | |||
| + | <note important> | ||
| + | Deadline: 12nd Nov 2024 (weeks 1 and 2 from below) | ||
| + | </note> | ||
| <note> | <note> | ||
| - | In case you did not attend the last lab, please read firstly this [[https://ocw.cs.pub.ro/courses/sred/setup_lab_remote|page]]. | + | In case you did not attend the last lab, please read firstly this [[https://ocw.cs.pub.ro/courses/sred/setup_lab_on-premise|page]]. |
| </note> | </note> | ||
| Line 20: | Line 24: | ||
| 1. Create the nodes (see [[https://ocw.cs.pub.ro/courses/sred/setup_lab_remote#create_a_new_node|here]] the tutorial) and connect them accordingly. For server, add 2 interfaces (make sure to select them when creating the node) - the first one connect to ''Cloud0'' and the second to router. | 1. Create the nodes (see [[https://ocw.cs.pub.ro/courses/sred/setup_lab_remote#create_a_new_node|here]] the tutorial) and connect them accordingly. For server, add 2 interfaces (make sure to select them when creating the node) - the first one connect to ''Cloud0'' and the second to router. | ||
| - | 2. Add IPs based on the topology (.1 for router and .2 for linux machine) and the required routes. At the end, make sure that linux machines are ping-able from one to another | + | 2. Add IPs based on the topology (.1 for router and .2 for linux machine) and the required routes. At the end, make sure that linux machines are ping-able from one to another. |
| + | |||
| + | For a reminder for Cisco, use this [[https://ocw.cs.pub.ro/courses/sred/setup_lab#cisco_routers|link]]. | ||
| 3. Install ''docker'' (engine and client) on the server instance (hint: snap) and start a webserver on port 80 (using image ''httpd''). | 3. Install ''docker'' (engine and client) on the server instance (hint: snap) and start a webserver on port 80 (using image ''httpd''). | ||
| + | For a docker tutorial, use this [[https://docker-curriculum.com/#docker-run|page]]. | ||
| 4. Make sure that webserver is reachable from linux_client1 and linux_it1 | 4. Make sure that webserver is reachable from linux_client1 and linux_it1 | ||
| Line 31: | Line 38: | ||
| 7. Install and start service ''ssh'' on server machine. Do not permit traffic from 10.10.10.0/24, but permit from 10.20.20.0/24. On which chain you will need to add it? Test the ssh connection from both machines (branch 1 and 2). | 7. Install and start service ''ssh'' on server machine. Do not permit traffic from 10.10.10.0/24, but permit from 10.20.20.0/24. On which chain you will need to add it? Test the ssh connection from both machines (branch 1 and 2). | ||
| + | |||
| + | ===== Week 2 ===== | ||
| + | We should continue now with adding new more servers to our DMZ area. Then, filter the traffic using the already added router. | ||
| + | |||
| + | 1. Using the docker image ''delfer/alpine-ftp-server'' (more details [[https://hub.docker.com/r/delfer/alpine-ftp-server|here]]), create a new container for ''ftp'' service and add credentials with user=student and password=student. | ||
| + | |||
| + | 2. Permit traffic to ftp only from it computer and deny from client one. Use an extended ACL and make sure to add it where it's required, on ''in'' side. For more information, check the chapter 4 (Standard and extended access lists) from this [[https://ocw.cs.pub.ro/courses/sred/laborator_1._acl|link]]. | ||
| + | |||
| + | 3. Test using cli that traffic from it works (authenticate with provided credentials) and denied from client. | ||
| + | <code> | ||
| + | it@host# ftp 10.30.30.2 | ||
| + | Connected to 10.30.30.2. | ||
| + | 220 Welcome Alpine ftp server[...] | ||
| + | </code> | ||
| + | |||
| + | 4. Next, we will create a time-range period on router, to permit traffic to ftp only during 12:00 to 20:00 (or an interval on which the entry is active). Check chapter 6 (Temporary access control) from this [[https://ocw.cs.pub.ro/courses/sred/laborator_1._acl|link]] and filter tcp port 21 from host 10.20.20.2 to host 10.30.30.2. | ||
| + | |||
| + | 5. Check again that ftp works from it client host. | ||
| + | |||
| + | 6. At last, let's permit traffic from client to webserver only if it's authenticated to telnet service. Check lock-and-key from chapter 6 from above. Add on router the credentials user=student and password=student, timeout 60, permit tcp port 80 on inbound, and permit tcp from any to any on outbound. | ||
| + | |||
| + | 7. Apply the ACLs to in and out on e1/2, check that access to webserver does not work (using cli), login using telnet, and check again. It should work. | ||
