Project: DMZ and Network Hardening Tutorial with Packet Tracer

This tutorial will cover setting up a DMZ architecture as well as some other network security controls.

DMZs are demilitarized zones, meaning that they are a subnetwork designed to expose externally-facing services to an untrusted network (usually the open Internet). This is used to protect an organization’s local-area network (LAN) from untrusted traffic. If we visualized it, a DMZ would sit in between the public internet and private networks.

Security controls are most effective when baked into whatever they are being applied to, and network infrastructure is no different. While network automation makes it possible to optimize configurations very quickly, it is more efficient to just get it right initially.

The topology layout consists of three major zones:

1. Internal
2. DMZ
3. External

Think of Internal and DMZ together as being our private network. This design strategy is a perfect example of significantly increasing security through network segmentation.

Topics to cover:

• Switchport assignment hardening
• Server Setup
• DCHP Snooping
• Arp Inspection
• Firewall configuration – DMZ setup with static routes
• Login / SSH setup
• Access Control Lists (ACLs)

If some of these terms seem foreign, spend some time researching them and at least know their basic purpose in a network before proceeding.

An extensive in-depth knowledge is not required to at least start configuring and see how these protocols work in action.

Download files for Packet Tracer

All files used in this tutorial can be viewed and downloaded here.

This tutorial includes 2 downloadable pkt files which you can access here:

1. DMZ_Setup_Base.pkt
2. DMZ_Setup_Finished.pkt

The first is the base to work from, while the second is so you can see the finished setup and compare with yours.

PKT files can be opened with Packet Tracer by Cisco.

If devices have passwords my defaults are:

• user: admin
• password: cisco
• enable: class

Quick Tips

• The question mark can be used for ANY positional parameter to see available command options
• Ctrl + a -> Moves cursor to the beginning of line
• Ctrl + e -> Moves cursor to the end of the line

Getting started

Base configurations (Environment, Vlans, IP addressing, inter-vlan to static routing) are already set up except the firewall.

These steps are covered in my tutorial called Project: Using Cisco Packet Tracer to learn networking.

Port Security

Lets start out by assigning end hosts to the appropriate vlan and securing physical interfaces.

The vlan design is relatively simple with worker, technician, and separate vlans for various servers.

This helps create segmentation as well as access control when ACLs are applied.

My recommended strategy is to configure the trunk and access ports in separate ranges. Take care of all the uniform commands that apply to all interfaces in that range; then apply interface specific commands like switchport access vlan [vlan #].

An ideal approach:

• Assign unused ports to Black_Hole vlan and shut them off
• Select all access interfaces and assign uniform commands
• Assign interfaces corresponding vlans

On Internal:

conf t
int ran f0/4-19, g0/1-2
switchport access vlan 999
shut
int ran f0/1-23, g0/1-2
switchport mode access
switchport port-security
switchport port-security mac-address sticky
int f0/1
switchport access vlan 20
int ran f0/2-3
switchport access vlan 10
int f0/20
switchport access vlan 30
int f0/21
switchport access vlan 40
int ran f0/22-23
switchport access vlan 50
end
wr

On External:

conf t
int ran f0/4-23, g0/1-2
switchport access vlan 999
shut
int ran f0/1-23, g0/1-2
switchport mode access
switchport port-security
switchport port-security mac-address sticky
int f0/1
switchport access vlan 80
int ran f0/2-3
switchport access vlan 70
end
wr

On DMZ:

conf t
int ran f0/4-23, g0/1-2
switchport access vlan 999
shut
int ran f0/1-23, g0/1-2
switchport mode access
switchport port-security
switchport port-security mac-address sticky
int ran f0/1-3, f0/24
switchport access vlan 50
end
wr

At this point the interfaces should be assigned to their corresponding vlan or shut down.Each interface can only have a single mac-address tied to it or a security violation will shut down the port.

Verify configs:

show run
show ip interface brief
show vlan brief
show port security
Code language: PHP (php)

Internal server setup

To configure servers in Packet Tracer, simply open the server and click on the services tab.

Take notice that all unused services are turned off.

Before configuring any of these services make sure they are toggled on.

DHCP

Now let’s set up DHCP to dynamically assign IP addresses to end hosts.

The DHCP addressing is determined by the IP table. Let’s add a pool for each vlan.

On the DHCP server:

Click on the services tab, go to DHCP, and fill out the following layout:

Pool                Default Gateway         Start IP        Subnet Mask         Max User        
Name 

serverPool          0.0.0.0                 192.168.30.0    255.255.255.252         0
Worker Pool         192.168.10.1            192.168.10.2    255.255.255.248         2
Technician Pool     192.168.20.1            192.168.20.2    255.255.255.252         1
Code language: CSS (css)

When DHCP is configured through a server, the interface vlans should be assigned a helper IP to the DHCP server.

On Internal:

conf t
int vlan 10
ip helper-address 192.168.30.2
int vlan 20
ip helper-address 192.168.30.2
end
wr
Code language: CSS (css)

At this point DHCP should be configurable on the end hosts. Simply click on the end hosts, click on config tab and select FastEthernet0 or click on desktop tab and ip configuration; then switch from static to DHCP.

For external it will be configured on the L3 switch instead of a server, which is remarkably similar to a router DHCP config.

On External:

conf t
ip dhcp excluded-address 10.0.70.1
ip dhcp excluded-address 10.0.80.1
ip dhcp pool WORKERS
network 10.0.70.0 255.255.255.248
default-router 10.0.70.1
ip dhcp pool TECHNICIAN
network 10.0.80.0 255.255.255.252
default-router 10.0.80.1
end
wr
Code language: CSS (css)

Verify configs

sh run
sh ip dhcp binding
sh ip dhcp pool

Now the external hosts are ready to be assigned IPs.

Internal FTP

First open the FTP server, delete the default username, and use the following layout:

Username        Password        Permission

admin           cisco           RWDNL
user            cisco           RL

Obviously, in an actual scenario, significantly stronger passwords should be used.

For the time being let’s ignore password security and just focus on the protocols.

Verify configs

• Open command prompt on an end host in the Internal zone
• Run command ftp 192.168.40.2
• Supply user & password (admin, cisco)
• Run dir to see what’s available
• Run get [name of file] to retrieve a file

NTP & Syslog

NTP & Syslog will be configured on Internal, which will provide logging auditability.

NTP will synchronize system clocks of the network devices in the private network.

Syslog will utilize NTP to facilitate log messages to a server for all devices in the private network.

NTP should be configured first considering that Syslog would be rendered useless without it.

On NTP server:

Enable Authentication

• Key: 1
• Password: cisco

On Syslog server:

Confirm service is activated

On Internal:

Normally timestamps need to be set but that was already taken care of in base configurations for all devices.

There is no need to configure, but here are the commands for reference:

service timestamps log datetime msec
service timestamps debug datetime msec

Now what still needs to be done:

conf t
ntp server 192.168.50.2
ntp authenticate
ntp authentication-key 1 md5 cisco
ntp trusted-key 1
ntp update-calendar
logging 192.168.50.3
logging on
logging userinfo
logging trap
end
wr

Code language: CSS (css)

Verify configs:

show clock
show ntp associations
show ntp status
show logging

External server setup

Email

In the services tab, confirm email service is on, set the domain-name to internal.net, and add the following:

User Password

admin cisco user cisco

Verify configs

• Send an email

HTTP

Confirm service is enabled for http/https.

Verify configs:

• Open a browser on an end host in Internal or External zones and connect to http://172.16.50.4

External FTP

Refer to the Internal FTP configuration above

Verify configs:

• Same method as Internal FTP

Before moving on to configuring the DMZ lets set a few more layer 2 LAN security controls.

DHCP Snooping

This feature monitors and facilitates messages for a DHCP server. It helps identify anomalies in the DHCP DORA (Discover, Offer, Request, Acknowledgement) request process and drops improper requests.

This prevents attackers from modifying DHCP traffic to manipulate it’s dynamic abilities to gain network access.

The only ports that should be trusted are the connections from the switch to the DHCP server and switch to switch connections.

On Internal:

conf t
ip dhcp snooping
ip dhcp snooping vlan 10,20
ip dhcp snooping verify mac-address
int f0/20
ip dhcp snooping trust
ip dhcp snooping limit rate 100
int ran f0/1-19, f0/21-23, g0/1-2
ip dhcp snooping limit rate 20
end
wr

The above configuration not only sets the server port as trusted, but also limits the rate of DHCP traffic allowed through the interfaces.

On External:

conf t
ip dhcp snooping
ip dhcp snooping vlan 70,80
ip dhcp snooping verify mac-address
int ran f0/1-23, g0/1-2
ip dhcp snooping limit rate 20
end
wr

Verify configs:

sh ip dhcp snooping

ARP Inspection

This feature is similar in nature and dependent on DHCP Snooping, but instead monitors ARP traffic.

For those unfamiliar, ARP (Address Resolution Protocol) is used to query the switch for the layer 3 IP address based on the MAC table. Its commonly referred to as a layer 2 to layer 3 address mapping protocol.

Without ARP, DHCP would assign an address but the host would be clueless on how to exit the internal network to the internet. ARP Inspection prevents gratuitous ARP requests, which are manually requested rather than a result of the DHCP DORA process.

This prevents request modification and protects the ARP table from being poisoned. Packets with invalid MAC to IP bindings will be discarded.

On Internal:

conf t
ip arp inspection vlan 10,20
ip arp inspection validate src-mac
end
wr

On External:

conf t
ip arp inspection vlan 70,80
ip arp inspection validate src-mac
end
wr

The rate limit can also be set like DHCP Snooping. By default it’s 15 which is fine for this network.

Verify configs:

sh ip dhcp snooping

DMZ firewall configuration

Now it’s finally time to link the DMZ to the internal zone by configuring the ASA Firewall.

First step is to remove any undesired default settings, then configure the rest.

The model firewall is a Cisco ASA 5505, which operates on a layer 2 vlan setup, so an SVI (Switch Virtual Interface) is required for IP assignment (like a Layer 3 switch).

On Firewall:

conf t
no dhcpd enable inside
no dhcpd address 192.168.1.5-192.168.1.36 inside
no dhcpd auto_config outside
telnet timeout 1
int vlan 1
ip addr 192.168.1.2 255.255.255.252
int vlan 2
nameif dmz
ip addr 172.16.50.1 255.255.255.248
security-level 70
no forward interface vlan 1
int vlan 3
nameif outside
ip addr 209.165.200.2 255.255.255.252
int vlan 4
exit
route inside 192.168.0.0 255.255.0.0 192.168.1.1
route outside 0.0.0.0 0.0.0.0 209.165.200.1
object network inside-net
subnet 192.168.0.0 255.255.0.0
nat (inside,outside) dynamic interface
int e0/0
switchport access vlan 1
no shut
int e0/1
switchport access vlan 2
no shut
int e0/2
switchport access vlan 3
no shut
int e0/3
switchport access vlan 4
shut
int e0/4
switchport access vlan 4
shut
int e0/5
switchport access vlan 4
shut
int e0/6
switchport access vlan 4
shut
int e0/7
switchport access vlan 4
shut
exit
class-map CMAP
match default-inspection-traffic
exit
policy-map PMAP
class CMAP
inspect dns
inspect ftp
inspect http
inspect icmp
exit
service-policy PMAP global 
end
write memory
Code language: JavaScript (javascript)

The above configuration removes undesired defaults, configures SVI interfaces (black_hole for unused interfaces), assigns them to a switchport, and disables any unused interfaces (Packet Tracer firewall unfortunately absent of access interface ranges). Then makes a class map that is linked to a policy-map which finally links to the global service-policy.

At this point Internal should be able to communicate any zone while DMZ & External can communicate with each other but are isolated from the Internal zone.

It becomes quite obvious why this is an ideal approach to secure architecture, though it is far from fool proof.

A well crafted block of JavaScript or executables initiated through websites, emails, etc, could still make it through. This can infect the user’s session which can blend their traffic in the user stream to bypass the firewall. Making the attack seem as part of an accepted outgoing connection rather than trying to infiltrate with their own inbound connection.

That’s why end user training is among the most critical aspects of the attack surface. Lack of understanding can result in activity that has potential to bypass layers of security controls.

Verify configs:

sh run
sh ip
sh int ip br
sh nat
sh route

Login/SSH

Normally for larger networks I would recommend utilizing AAA for remote authentication and use local authentication as a backup if the remote server fails.

Considering we’re only going to harden 3 devices, it’s not much of a concern. If connectivity issues occur they still would have to be accessed physically regardless.

On Internal & DMZ:

conf t
username admin privilege 15 secret cisco
enable secret class
login block-for 300 attempts 5 within 120   # <= Login commands unavailable on DMZ L2 switch
login on-success log
login on-failure log
crypto key generate rsa                     # <= hit enter, select biggest key size, hit enter again (Firewall already has key-pair)
line con 0
privilege level 15
login local
exit
line vty 0 15
privilege level 15
login local
end
wr

On Firewall:

conf t
username admin password ciscoasapassword encrypted
enable password class
ssh 192.168.20.2 255.255.255.255 inside
crypto key generate rsa modulus 2048      # <= answer yes when prompted
end
write memory
Code language: JavaScript (javascript)

Verify configs:

sh run
sh login
sh ip ssh

Despite the configuration, SSH still might not work on the ASA in packet tracer. They are a newer feature and still have some buggy issues and are less developed than the routers and switches.

While not available on packet tracer I would recommended disabling telnet and enforcing ssh only.

Access Control Lists (ACL’s)

Now, let’s work on the internal zone as a second layer of protection if the firewall is breached, to isolate internal vlans based on least privilege access control, and for protecting the remote access capabilities of our network device VTY lines.

On Internal:

conf t
ip access-list standard SyslogNTP
deny any
exit
int vlan 50
ip access-group SyslogNTP in
exit
end
ip access-list extended SSH
permit tcp host 192.168.20.2 any eq 22
exit
line vty 0 15
access-class SSH in
wr
Code language: PHP (php)

Verify configs:

sh run
sh access-lists

The above sets the NTP / Syslog Vlan to be inaccessible to end users and SSH login only available to the technician.

Conclusion

We covered a lot in this tutorial, but I hope that you enjoyed following along and setting up your network. At this point, feel free to mess around with ping / traceroute testing in the environment between the different zone combinations to see what works and what doesn’t.

Then, feel free to try and expand this network even further and share what you’ve got with us in the comments below!

This project was created by Cybr Member, Nick Gimbel.