Scribd Logo
Hochladen

Willkommen bei Scribd!

  • 54 APS Lab2 PDF

    Hochgeladen von

    Abdias Vazquez Martinez
    17 Ansichten6 Seiten

    Originaltitel

    54_APS_Lab2.pdf

    Copyright

    © © All Rights Reserved

    Verfügbare Formate

    PDF, TXT oder online auf Scribd lesen

    Stufen Sie dieses Dokument als nützlich ein?

    Sind diese Inhalte unangemessen?

    Dieses Dokument melden

    Copyright:

    © All Rights Reserved
    Als PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    17 Ansichten6 Seiten

    54 APS Lab2 PDF

    Hochgeladen von

    Abdias Vazquez Martinez

    Copyright:

    © All Rights Reserved
    Als PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    von 6

     

    Lab 2
    Scenario: Simple attack mitigation

    Overview

    Description
    This lab introduces you to the inline mode of Pravail APS and simple
    attack mitigation techniques. You will learn about essential steps
    performed. This lab is divided into the following parts:
    • Migration of Pravail APS to inline mode
    • Protection Group configuration

    • Attack mitigation and monitoring

    Initial Setup

    DCN
    mgt0 mgt1

    Victim
    ext0 int0

    Internet
    2 Mbps
    last mile

    Infrastructure that does


    not need protection

    Student 54 L2-1
    Basic attack mitigation with Pravail APS
    Lab 2

    At the beginning of the lab Pravail APS is installed in monitor mode.


    Interfaces are connected in the following way:

    • ext0 is receiving copies of packets coming from the internet


    • int0 is receiving copies of packets coming from the data center
    • mgt0 is connected to out of band management network
    • mgt1 is connected to the data center. It is used for Pravail APS to
    access the internet

    Objectives
    After completing this lab, you will be able to do the following:
    • Perform migration of Pravail APS to inline mode;

    • Basic attack mitigation.

    Equipment/Tools
    The following equipment is required to complete this lab:
    • web browser (Chrome or Firefox)
    When accessing training labs, you will be prompted for Training Portal
    Authentication. Use following credentials:

    • Login: student54
    • Password: 43xXBAJD89

    Estimated Completion Time


    • The estimated completion time for this lab is 30 minutes.

    L2-2 Student 54 Pravail APS 5.6


    Lab 2 Basic attack mitigation with Pravail APS

    Migration of Pravail APS to inline mode


    Before re-cabling Pravail APS to inline mode, we need to switch appliance
    operation mode to inline, otherwise all packets will be dropped, since
    Pravail APS does not forward packets in monitor mode.

    1. Connect to your Pravail APS with web ssh client

    Web ssh server address: https://cli.training.arbor.net/ssh/

    Pravail APS mgt0 interface IP address: 10.2.25.184

    Port: 22

    Login: admin

    Password: 43xXBAJD89

    2. Switch appliance to inline mode using following command


    services aps mode set inline

    DCN
    Victim
    mgt0 mgt1

    Internet 2 Mbps ext0 int0


    last mile

    Infrastructure that does


    not need protection
    3. Ask instructor to re-cable your Pravail APS to inline mode:

    4. Log into Pravail APS GUI at https://pod54.training.arbor.net/

    5. Make sure that Pravail APS deployment mode is set to inline inactive

    6. Check interfaces widget on summary page to see if interfaces


    transmitting traffic

    Student 54 L2-3
    Basic attack mitigation with Pravail APS
    Lab 2

    Protection group configuration


    In this section we will change protection mode for Default Protection group
    to make sure that Pravail APS will not affect infrastructure that does not
    need protection and create separate Protection Group for Victim Server.
    This is essential part of service protection.

    1. Navigate to Protect -> Protection Groups

    2. Click on Default Protection Group to open it

    3. Click Edit button to edit settings of Default Protection Group

    4. Set Protection Group Mode to Inactive and Protection Level to Low.


    Now regardless of Pravail APS operation mode traffic for Default
    Protection Group will not be mitigated and reporting will be provided
    for low protection level

    5. Save your changes

    Now, let’s configure Server Type for protection group we will use to protect
    victim server.

    1. Navigate to Protect -> Server Type Configuration

    2. Select Web Server Type from Standard Server Types drop down

    3. Victim web server should not receive any packets other then:
    • ICMP echo requests, echo replies, destination unreachable
    • TCP packets from high ports destined to ports 80 and 443 (for
    HTTP and HTTPS service)
    • TCP packets destined from ports 53, 80 or 443 to high ports
    (used by server to fetch various server software updates)
    • UDP packets destined from port 53 to high ports (to resolve
    domain names)
    For every protection level type following Filter List to match this
    requirement:
    drop not (proto icmp or proto tcp or proto udp)
    drop proto icmp and not ((icmptype 8 and icmpcode 0) or
    (icmptype 0 and icmpcode 0) or (icmptype 4 and icmpcode
    3))
    drop proto tcp and not ((src port 1024..65535 and (dst
    port 80 or dst port 443)) or (dst port 1024..65535 and
    (src port 53 or src port 80 or src port 443)))
    drop proto udp and not (dst port 1024..65535 and src
    port 53)

    L2-4 Student 54 Pravail APS 5.6


    Lab 2 Basic attack mitigation with Pravail APS

    4. Save server type settings

    Last step is to create a new protection group for the victim server:

    1. Navigate to Protect -> Protection Groups and click Add Protection


    Group button

    2. Choose a meaningful name and description for Protection Group

    It’s the best practice to provide meaningful names to entities.

    3. Enter IP address of your victim server in as a Protected Host


    192.168.154.1
    4. Choose “Web Server” as a type of this Protection Group

    5. Click Add button

    Attack mitigation and monitoring


    Finally, it is time to mitigate the attack and observe the results.
    1. Change Pravail APS protection mode to inline active
    2. After a minute check the victim to see if it is now available:
    https://victim-pod54.training.arbor.net/

    3. Navigate to View Protection Group page corresponding to your Web


    Server
    4. Check attack categories to see attack vectors
    5. Note change in volume of attack traffic after you started the mitigation.
    Rise of attack traffic is a common response to a successful mitigation.

    Generating reports
    In this section, you will learn how to generate required Protection Group
    reports.
    1. Navigate to Protection Group list page
    2. Open your Web Server protection group
    3. Set timeframe of the report to 1 hour (or other reasonable timeframe to
    indicate see the attack), change units to packets
    4. Export as a PDF
    5. Review the result.
    6. Navigate to Explore->Blocked Hosts

    Student 54 L2-5
    Basic attack mitigation with Pravail APS
    Lab 2

    7. Search for hosts which were involved in attacking web server


    Protection Group and were stopped using Botnet Prevention
    8. Export detailed information about attackers to CSV for future reference

    This completes the lab exercise. Please let instructor know that you’ve
    finished the lab and the attack should be now stopped.

    L2-6 Student 54 Pravail APS 5.6

    Das könnte Ihnen auch gefallen