Network Security Project To Help Land A Cybersecurity Job


Scenario

After successfully installing a network upgrade for your company’s client, you have been asked to perform another cybersecurity service for that client. The client hired a consultant to configure a newly installed Cisco NGFW (Next-Gen Firewall) with a Threat Protection feature to support production and operations. You are tasked with configuring Threat Protection to protect Internal Systems and Servers placed in DMZ

Task

A network diagram is shown below:

Network IP Details

INTERNAL/TRUSTED NETWORK

CEO PC192.168.0.5
Production Server192.168.0.10
HR PC192.168.0.15
Default Gateway-Inside Interface192.168.0.1

DMZ NETWORK:

Web Server10.200.0.5
Database Server10.200.0.10
Default Gateway-DMZ Interface10.200.0.1

LAB 1: Firewall Configuration

  • Firewall Interface Configuration:
  • G0/0: Outside-Interface – 10.127.250.2/27 (Public IP for accessing Internet)
  • G0/1: Inside-Interface – 192.168.0.1/24 (Private IP for Internal Network)
  • G0/2: DMZ-Interface – 10.20.0.1/24 (Private IP for Servers)
  • Configure Static Routing to Route the Internal/DMZ Traffic to Outside-Interface: 
  • Configure NAT for Internal/DMZ Interface to access the Internet:
  • Configure Access Rules for Allowing All the Inter/Intra Traffic:
  • Test from the “CEO PC” if the Internet is accessible:
  • Verifying the same from Firewall Logs:

LAB 2: Implementing Network Restrictions

TASK:

  1. Only the CEO PC has Full Internet Access and DMZ Access
  2. HR PC cannot communicate to DMZ Network but can communicate within Trusted Network
  3. DMZ Network cannot communicate to the Internet but can communicate with Trusted Network
  • Step 1: Let’s create Firewall Rules:

EXPLANATION:

Rule 1: CEO – Full Access

This Rule will ALLOW FULL ACCESS to CEO’s PC

Rule 2: DMZ to Internal – Allow

This Rule will ALLOW FULL ACCESS for the traffic originating from DMZ Network going towards Internal/Trusted Network

Rule 3: DMZ to Internet – Block

This Rule will BLOCK all the traffic originating from DMZ and going towards the Internet.

Rule 4: Inside to DMZ – Block

This Rule will BLOCK all the traffic originating from the Internal/Trusted Network and going towards the DMZ Network. 

Rule 5: Default Action – Block

If none of the above rules matches the traffic, it will DROP the traffic as part of Default Action – Block

Note: In Network Security, Access Rules placement is critical as Firewall will process rules from Top to Bottom order.

Step 2: Testing the Traffic Flow via Ping from CEO to DMZ Network and verifying it via Firewall Logs

Step 3: Testing the Traffic Flow from CEO PC to Internal Network via Ping

Note: For Internal Communication, traffic doesn’t flow via Firewall, hence we will not get any logs on the same.

Step 4: Testing the Internet Connectivity from the CEO’s PC via browsing the “Flipkart Website (72.163.128.140)” and checking the Firewall Logs

Step 5: Testing the Ping from the HR Machine to the DMZ Network and verifying the Firewall Logs for Block Traffic

Step 6: Test the communication from DMZ Network towards Internal Network and verify it through the Firewall Logs for Allowed Traffic

Step 7: Test the Internet Access by browsing “flipkart.com (72.163.128.140)” from DMZ Network and verify the Firewall Logs for BLOCKED Traffic

Conclusion:

By performing the above labs you can now implement Network Security on a very granular level and protect the Internal Systems and Servers that are placed within the DMZ Zone.

Junior Liango

Liango Mabele Junior is a Cloud Administrator whose passion for Network Security began in 2016 when he discovered Linux. Ever since then, he has worked on various Projects and Tech jobs including cybersecurityjunior.com, Africa Ethical Hacking, and Cyber Junior (Github Repository).

Recent Posts