Differences
This shows you the differences between two versions of the page.
|
sred:milestone_1 [2023/10/20 17:11] horia.stoenescu [Week 1] |
sred:milestone_1 [2024/10/22 18:34] (current) horia.stoenescu Updated for 2024 |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| ========== Milestone 1 ========== | ========== Milestone 1 ========== | ||
| - | The final topology for the entire project is the one from below: | + | The final topology for the entire project should look like the one found below: |
| {{:sred:sred-topologie_proiect.png?750|}} | {{:sred:sred-topologie_proiect.png?750|}} | ||
| - | For the ''first milestone'' (that is between 20th Oct - 4th Nov 2023) we are going to work only with the first 2 branches (Bucharest and IT), the DMZ area (where servers are found), and the router. | + | For the ''first milestone'' we are going to work only with the first 2 branches (Bucharest and IT), the DMZ area (where servers are found), and the router. |
| ===== Week 1 ===== | ===== Week 1 ===== | ||
| Line 11: | Line 11: | ||
| {{:sred:sred_topology_lab2.png?750}} | {{:sred:sred_topology_lab2.png?750}} | ||
| + | |||
| + | <note important> | ||
| + | Deadline: 12nd Nov 2024 (weeks 1 and 2 from below) | ||
| + | </note> | ||
| <note> | <note> | ||
| - | In case you did not attend the last lab, please read firstly this [[https://ocw.cs.pub.ro/courses/sred/setup_lab_remote|page]]. | + | In case you did not attend the last lab, please read firstly this [[https://ocw.cs.pub.ro/courses/sred/setup_lab_on-premise|page]]. |
| </note> | </note> | ||
| Line 34: | Line 38: | ||
| 7. Install and start service ''ssh'' on server machine. Do not permit traffic from 10.10.10.0/24, but permit from 10.20.20.0/24. On which chain you will need to add it? Test the ssh connection from both machines (branch 1 and 2). | 7. Install and start service ''ssh'' on server machine. Do not permit traffic from 10.10.10.0/24, but permit from 10.20.20.0/24. On which chain you will need to add it? Test the ssh connection from both machines (branch 1 and 2). | ||
| + | |||
| + | ===== Week 2 ===== | ||
| + | We should continue now with adding new more servers to our DMZ area. Then, filter the traffic using the already added router. | ||
| + | |||
| + | 1. Using the docker image ''delfer/alpine-ftp-server'' (more details [[https://hub.docker.com/r/delfer/alpine-ftp-server|here]]), create a new container for ''ftp'' service and add credentials with user=student and password=student. | ||
| + | |||
| + | 2. Permit traffic to ftp only from it computer and deny from client one. Use an extended ACL and make sure to add it where it's required, on ''in'' side. For more information, check the chapter 4 (Standard and extended access lists) from this [[https://ocw.cs.pub.ro/courses/sred/laborator_1._acl|link]]. | ||
| + | |||
| + | 3. Test using cli that traffic from it works (authenticate with provided credentials) and denied from client. | ||
| + | <code> | ||
| + | it@host# ftp 10.30.30.2 | ||
| + | Connected to 10.30.30.2. | ||
| + | 220 Welcome Alpine ftp server[...] | ||
| + | </code> | ||
| + | |||
| + | 4. Next, we will create a time-range period on router, to permit traffic to ftp only during 12:00 to 20:00 (or an interval on which the entry is active). Check chapter 6 (Temporary access control) from this [[https://ocw.cs.pub.ro/courses/sred/laborator_1._acl|link]] and filter tcp port 21 from host 10.20.20.2 to host 10.30.30.2. | ||
| + | |||
| + | 5. Check again that ftp works from it client host. | ||
| + | |||
| + | 6. At last, let's permit traffic from client to webserver only if it's authenticated to telnet service. Check lock-and-key from chapter 6 from above. Add on router the credentials user=student and password=student, timeout 60, permit tcp port 80 on inbound, and permit tcp from any to any on outbound. | ||
| + | |||
| + | 7. Apply the ACLs to in and out on e1/2, check that access to webserver does not work (using cli), login using telnet, and check again. It should work. | ||
