You are on page 1of 32

Environment Configuration

Servers | Routers | Firewalls | IP’s

Created By: Oliver Karr Chad Brown Matt Graham

Corp.Group3.Tech
Client Machines Corp Servers
AD-Domain Controller DNS DFS sync to GP3DFS001

Group3.Tech
DMZ Servers
WORKGROUP Stand-alone DNS

Win7-1

GP3ADS001
AD-Domain Controller DNS DHCP

GP3DMZDNS

WORKGROUP Stand-alone IIS

Win7-2

GP3ADS002
AD-Tools DFS sync to GP3ADS001 Exchange 2010: HUB CA Mailbox RDP-Manager

GP3WEB001
WORKGROUP Exchange 2010: Edge Transport

Win8-1

GP3DFS001

GP3EML001

Contents
Infrastructure ................................................................................................................................................ 6 Router: Cisco 4507 .................................................................................................................................... 6 Firewall 1 - WAN - 10.145.200.131 LAN - 10.145.223.5 ........................................................................... 6 Firewall 2 - WAN - 10.145.223.6 LAN - 10.145.243.5 ............................................................................... 7 DMZ ............................................................................................................................................................. 13 GP3WEB001 - 10.145.223.8 .................................................................................................................... 17 GP3EML001 - 10.145.223.9..................................................................................................................... 18 GP3DMZDNS - 10.145.223.7 ................................................................................................................... 19 Internal Network ......................................................................................................................................... 19 GP3ADS001 - 10.145.243.10 ................................................................................................................... 19 GP3ADS002 - 10.145.243.11 ................................................................................................................... 20 GP3DFS001- 10.145.243.52 .................................................................................................................... 20 C1 - Set to DHCP ...................................................................................................................................... 21 C2 - Set to DHCP ...................................................................................................................................... 21 C3 - Set to DHCP ...................................................................................................................................... 21 Testing Scenarios and Results ..................................................................................................................... 22 Firewall 1 - WAN - 10.145.200.131 LAN - 10.145.223.5 ......................................................................... 22 Firewall 2 - WAN - 10.145.223.6 LAN - 10.145.243.5 ............................................................................. 23 Proxy Server: ........................................................................................................................................... 24 Web Server: GP3WEB001 - 10.145.223.8 ............................................................................................... 25 E-Mail Server: GP3EML001 - 10.145.223.9 ............................................................................................. 25 DNS: GP3DMZDNS - 10.145.223.7 .......................................................................................................... 26 Configuring a Syslog Server: Installation and Configuration................................................................... 28 Active Directory: GP3ADS001 - 10.145.243.10 ....................................................................................... 29 Active Directory: GP3ADS002 - 10.145.243.11 ....................................................................................... 30 File Share Server: GP3DFS001 - 10.145.243.12 ...................................................................................... 31

Infrastructure
Router: Cisco 4507
The router is preconfigured by ISP (AlanNET) with a public IP range of 10.145.200.131 to 140.           10.145.200.131 for MS-RDP (tested, takes authenticated user to GP3DFS001) 10.145.200.132 for WEB ( 10.145.200.133 for DMZDNS 10.145.200.134 for DMZ EMAIL (Mail Enable tested, internal and outgoing mail) 10.145.200.135 for VPN PPTP 10.145.200.136 (Not Assigned) 10.145.200.137 (Not Assigned) 10.145.200.138 (Not Assigned) 10.145.200.139 (Not Assigned) 10.145.200.140 (Not Assigned)

Firewall 1 - WAN - 10.145.200.131 LAN - 10.145.223.5
a. “First Line of Defense” configured to route traffic to the DMZ servers and to the WAN port of Firewall 2. a. Port Forwarding

b. 1:1 NAT

c. All outgoing traffic is auto configured by pfsense.

b. Rules a. WAN

Firewall 2 - WAN - 10.145.223.6 LAN - 10.145.243.5
1. Firewall 2 is configured to route traffic from the DMZ zone to the Private LAN. 2. VPN setup for PPTP a. Configuration

3. Firewall 2 is also configured with Squid, and Squidguard to enable a proxy server for the clients, as well as an active blacklist for websites that shouldn't be accessed. a. Proxy Server Settings for client-side.

b. Configuration on firewall

c. Black List rule configuration settings

d. Testing Squid Guard

4. Also has HAVP antiviruses installed which has been tested and confirmed working. a. Anti-Virus status page

b. Anti-Virus Test Passed. Used www.eicar.org\download\eicar.com.txt

Installing and Configuring Snort:

Fig 1 – Configuring the interface, verifying that Snort is enabled, and that Blocking attacks are enabled.

Fig 2 – Configuring the global settings of Snort; Installing and configuring the various rules, The Emerging threats rule, the automatic updates rule, and the logging, and removal of blocked hosts rule.

Fig 3 – Under the If Settings tab and configuring the interface to these specific settings

Fig 4- Under the Preprocessors tab and enabling the following options: “Collect Performance Statistics for this interface” & “Use HTTP Inspect to Normalize/Decode and detect HTTP traffic and protocol anomalies”

Fig 5 – In the Preprocessors tab. Selecting to enable the following options under “Portscan Settings” section. Also enabling the following options in the “General Preprocessor Settings” section.

DMZ
GP3WEB001 - 10.145.223.8
1. Server 2008 R2 Service Pack 1 a. GP3WEB001 is not joined to a domain but instead left on WORKGROUP. 2. Enabled remote desktop NLA 3. Added local Administrator account for each administrator on the network. a. Added each Administrator to the RDP-NLA access list 4. The Firewall 1 Has the PAT setup to redirect:80 traffic to the Web Server.

5. The Web server is hosting the public website for our Group3.com. 6. Downloaded a HTML template and placed it within the C:\Inetpub\wwwroot directory a. IIS default website, created during installation, is using the Index.html file of the template to display our website b. An A record in corp.group3.tech was created to point to the DMZWEB server. Later a group policy will be created to have all users default homepage load as our website. i. Corpweb 10.145.223.8 c. The website is accessible from the public and other Group# companies. d. Once our DMZDNS is registered with AlanNet our A and MX records will lead our public searchers to our website.

GP3EML001 - 10.145.223.9
1. Server 2008 R2 Service Pack 1 a. GP3EML001 is not joined to a domain but instead left on WORKGROUP. b. The Network is set to group3.tech (see the two images below)

2. Enabled remote desktop NLA 3. Added local administrator account for each administrator on the network. a. Also added each admin to the RDP-NLA access list 4. Installed Exchange 2010 a. Edge Transport Role with Management Tools i. Once Transport role is installed the remaining steps is completed by the HUB Transport in corp vlan. Use the following command “New-EdgeSubscription FileName "C:\EdgeSubscriptionInfo.xml" ” to generate a Subscription on the EDGE; this is how the HUB can control the edge server. Copy the XML file to the GP3DFS001 and import the Edge Server. b. The Firewall 1 has the PAT\NAT setup to redirect: 25 traffic to the email Server 10.145.223.9.

c. Ensure either the HOST file or DMZDNS is modified with the 10.145.223.6 GP3DFS001 d. Ensure the FW2 has DNS 53 and 586 port forwarded to the LAN address (not specific machine) i. This allows both DNS servers to listen and the Exchange Hub Role to listen as well. 5. Roles Installed - Active Directory Lightweight Directory Services, Web Server (IIS) 6. Features Installed - RPC over HTTP Proxy, Remote Server Administration Tools, Role Administration Tools, AD DS and AD LDS Tools, AD DS Snap-Ins and Command-Line Tools, Active Directory Administrative Center, Server for NIS Tools, AD LDS Snap-Ins and Command-Line Tools, Active Directory module for Windows PowerShell, Web Server (IIS) Tools, Windows Process Activation Service, Process Model, .Net Environment, Configuration APIs, .Net Framework 3.5.1 Features

GP3DMZDNS - 10.145.223.7
1. Server 2008 R2 Service Pack 1 a. GP3EML001 is not joined to a domain but instead left on WORKGROUP. b. The Network is set to group3.tech (see the two images below) 2. Enabled remote desktop NLA 3. Added local administrator account for each administrator on the network. a. Also added each admin to the RDP-NLA access list 4. DNS is installed as a standalone server, as it is not joined to the domain. a. The TCP/IP settings are set to its self and 8.8.8.8 (googleDNS). b. The Zone Transfer is set to Any Server. i. The corp dns is setup to pull this server’s DNS entries as a STUB zone. c. Each A-Record is created manually as the servers do not create or update the records as they change. 5. Roles Installed - DNS Server 6. Features Installed - Remote Server Administration Tools, Role Administration Tools, DNS Server Tools 7. Created A records for: a. Each DMZ server b. Corpweb, internal website c. Pfsense, to easily access the pfsense firewall

Internal Network
GP3ADS001 - 10.145.243.10
1. Server 2008 R2 Service Pack 1 2. Active Directory a. Domain Name: Corp.Group3.Tech 3. DNS (primary)

4. File Services a. Distribution File Services i. Uses 2nd HDD for DFS replication to GP3DFS001 and hosts \\corp.group3.tech\cloud namespace GP3ADS001 is the first Domain Controller for Corp.Group3.tech . All 5 of the FSMO roles are present on this server as Exchange had issues installing when the Infrastructure Operation Master was on GP3ADS002. DNS is installed for Active Directory. These records, for the most part, are updated as machines are added and removed. A few additional configurations is adding the reverse lookup zones for the CORP and DMZ networks, adding “STUB” zones for the DMZ (Ensure the DMZ DNS Name Server IP is not the loopback). Distributed File Services is installed and replicated to GP3DFS001.

GP3ADS002 - 10.145.243.11
1. Server 2008 R2 Service Pack 1 2. Active Directory a. Domain Name: Corp.Group3.Tech 3. Enabled remote desktop NLA 4. DNS (secondary) 5. DHCP a. Subnet: 10.145.243.50 – 100 b. DNS: 10.145.243.10, 10.145.243.11 c. Gateway set to 10.145.243.5

GP3DFS001- 10.145.243.52
1. Server 2008 R2 Service Pack 1 2. Features Installed - RPC over HTTP Proxy, Remote Server Administration Tools, Role Administration Tools, AD DS and AD LDS Tools, AD DS Snap-Ins and Command-Line Tools, Active Directory Administrative Center, Server for NIS Tools, Active Directory Module for Windows PowerShell, File Services Tools, Distributed File System Tools, Web Server (IIS) Tools, Feature Administration Tools, Failover Clustering Tools, Telnet Client, Windows Process Activation Service, Process Model, .NET Environment, Configuration APIs, .NET Framework 3.5.1 Features, WCF Activation, HTTP Activation, Non-HTTP Activation 3. Active Directory Services Installed (not a DC) a. Domain Name: Corp.Group3.Tech 4. Enabled remote desktop NLA a. Firewall 1 passes port 3389 from internet to Firewall2 WAN. Firewall2 passes 3389 from DMZ WAN to GP3DFS001. From here we can manage the whole environment. 5. Install Remote Desktop Manager from Microsoft.com a. Configure RDP list for EACH server and Client

6. Install role DFS a. GP3DFS001 is a Distributed File Server with GP3ADS001 7. Install Exchange 2010 HUB, CA & Mailbox Roles a. Sync with GP3EML001 in the DMZ using the Edge generated sub transcript. b. The HUB server is the only way to edit the settings on the Edge Transport server. c. Added the additional SMTP receives connectors (FQDN) and send connectors (FQDN). d. Ensure DNS can resolve from Corp to DMZ (edge server IP) Corp to Internet and DMZ to Internet. i. Use PING and NSLOOKUP commands to test\diagnose. NOTE: Exchange successfully sent mail internally and to internet email accounts e.g. Gmail or Hotmail.

C1 - Set to DHCP
1. Windows 7: Service Pack 1 a. Joined To Domain: Corp.Group3.Tech 2. Enabled remote desktop NLA 3. Installed Office a. Outlook – Auto config to mailbox per user account upon first open

C2 - Set to DHCP
1. Windows 7: Service Pack 1 a. Joined To Domain: Corp.Group3.Tech 2. Enabled remote desktop NLA 3. Installed Office a. Outlook – Auto config to mailbox per user account upon first open

C3 - Set to DHCP
1. Windows 8: a. Joined To Domain: Corp.Group3.Tech 2. Enabled remote desktop NLA 3. Installed Office a. Outlook – Auto config to mailbox per user account upon first open

Testing Scenarios and Results
Objectives: Testing the Infrastructure of Firewall #1, Firewall #2, Web Server, DNS Server, Internal Network, Active Directory Server, DHCP, VPN, E-Mail, Proxy Server with Anti-Virus Installed, Accessing The Group 3 Website & Installing and Configuring a Syslog Server

Firewall 1 - WAN - 10.145.200.131 LAN - 10.145.223.5

Accessing Firewall #1 through PfSense

Firewall 2 - WAN - 10.145.223.6 LAN - 10.145.243.5

Accessing Firewall #2 through PfSense

Proxy Server:

HAVP is setup properly and is fully operational

After trying to gain access to an inappropriate website we can see that just like HAVP. Squidguard is setup properly, and is fully operational

Web Server: GP3WEB001 - 10.145.223.8

On the Web Server, In the command line prompt and running a trace route to group3.tech

Accessing the Group 3 Website http://www.group3.tech

E-Mail Server: GP3EML001 - 10.145.223.9

Sent and received E-mail between Group 3 and Group 1

E-Mail sent, received and replied to ACarter@tech.div

DNS: GP3DMZDNS - 10.145.223.7

Using the command line prompt for the Web Server and pinging the DNS ma chine “GP3DMZDNS - 10.145.223.7”

In the DNS ma chine “GP3DMZDNS - 10.145.223.7” and viewing the A Records from the Server Manager

Configuring a Syslog Server: Installation and Configuration

Configure Remote logging from the internal and external firewalls

Configure PFsense Firewall 2 with a LAN and WAN rule allowing port 514 to send to the DMZDNS server. ”Please Note: Had to create a rule to allow Port #514 through WAN ”

Checked statistics to make sure the syslog server is receiving logs from both firewalls

Active Directory: GP3ADS001 - 10.145.243.10

Accessing the Server Manager in the Active Directory Mac hine “GP3ADS001 - 10.145.243.10” and showing that all the necessary roles are installed

Active Directory: GP3ADS002 - 10.145.243.11

DHCP

Accessing the Server Manager In the Active Directory Mac hine “GP3ADS002 - 10.145.243.11” and showing that the DHCP Server is correctly configured

File Share Server: GP3DFS001 - 10.145.243.12

Distributed File System installed as a Role, With Corp.Group3 .Tech successfully replicated under the sub-folder entitled Cloud1

Remote Desktop Hub to environment

Administrators can use Remote Desktop from the “Internet” side of FW1 to the File Server and successfully access t he rest of the Internal Network