3.11.1 Packet Tracer - Network Security Exploration - Physical Mode

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

network security exploration in this packet racer physical mode you will explore and implement several security procedures in different locations within the city of greenbay north carolina included our networks and data center and isp internet service provider a coffee shop and a home the data center is provisioned for environmental and physical security there is also software included to maintain access control you will install internet of things iod smoke detector the coffee shop offers free wireless access to the patrons you will implement a vpn to secure traffic the home includes an office a student's bedroom and a living room you will configure two home wireless lans to require authentication for two different user types family members and guests these networks will also be configured with mac address filtering to restrict access explore the networks you will explore networks in the data center isp internet service provider coffee shop and home explore green by the activity opens with a view of north carolina usa all the tasks in this activity occur in greenby click green buy okay click here green buy there are four locations okay the data center isp home and coffee shop data sender isp on the middle home and coffee shop explore the rooms and data center okay click on data sender there are two rooms and a variety of devices to explore including a server room the pop point of presence an iod server two access points a laptop and several iod devices connected to the network okay this is the server room the access point the iod devices another access point laptop point of presence the iod server click data center server room okay click here data sender server room nowadays the majority of the devices are servers in a real data center there would be hundreds of racks filled with servers switches are linking with the servers together with redundant connections a router is providing connectivity to the point of presence pop which then connects to the isp internet service provider okay down here the servers all the servers switches and this device and this device is a router okay servers and switches what is the name of the router that is located in this wiring closet dc dc1 underscore r1 dc1 underscore r1 navigate up one level okay click here back level investigate the devices in the data center point of presence okay click data sender point of presence click here what cable type is used to connect the dc edge router 1 to the isp source device dch router 1 destination device isp1 okay this cable is cable type fiber okay and so the answer is they are connected using fiber this orange cable this orange cable what device is doing the translation of private data center addresses into public addresses okay the network address translation nut is made by a router and dc edge router 1 is the only one router here so the answer is dch router 1 is doing not network address translation click dch router 1 command line interface click here command line interface show access list enter show [Music] show access dash list okay so you are on user access mode go to privilege exec mode using the enable comment and you should show list this access list permits only a specific traffic into the data center in this simulation http https ipsec and ftp traffic are permitted all other traffic is blocked okay permit http permit https permit isa kmp this is ipsec okay also this for ipsec permit ftp permit ports greater than 1023 so that means permit register reports and dynamic ports okay greater than 1023 investigate the interfaces what interface and in which direction is the access list applied you can use show interfaces show ip interfaces okay show ip interface and gigabit zero zero or just show running config okay gigabit zero zero zero no access list gigabit zero zero one no access list gigabit zero zero one access list is not set gigabit zero zero zero access list is not set okay this is the interface gigabit zero zero zero the connection to the internet service provider so you can apply the access list here for now the answer for this question is the access list is not set on the interfaces but if gigabit zero zero zero is the connection to the internet service provider you can apply the access list here okay so now you can see the name of the access list is remote underscore in okay sensitive so you can configure terminal interface with zero zero zero you can apply uh x ip axis group promote underscore inc case sensitive and incoming traffic okay and and show ip interface gigabit zero zero zero inbound access list is remote underscore in so the answer should be inbound on gigabit zero zero zero inbounds gigabit zero zero zero the accessories commands in this simulation are limited on a real edge router the access list would be much more complex and even more restrictive to protect all networking devices and data within a data center investigate the iod devices configured to connect to the dc iod server navigate to data center data sender point of presence click the laptop on the desk and then desktop web browser okay back level click on the laptop desktop web browser enter the ip address 172 3102 172 3102 enter this ip address is for the dc iod server okay this is the server dc iod server the ipad is 172 3102 172 3102 so request timeout try again go try to use https https column and the ip address go okay request timeout close the browser and verify the ip configuration of the laptop and now you can see you don't have a valid ip address this is the address api pa so go to static and then dhcp again okay dhcp filet api ipa is being used on the pc pc wireless you are not connected to an access point go to connect and refresh try to connect the 4d the 40 percent dc wireless lan connect and wpa2 personal password okay so review the the access point here click here on the access point click here on this access point to review config port one okay this is the password cisco rocks okay and connect using the password cisco rocks okay runs connect okay adapter is active and go to [Music] select this link information you are connected close this go to ib configuration now you have now uh ipr7231012 this is a valid ip to connect the server so go to web browser and try the ip address of the iod server 172 3102 and very nice registration server login reduce these credentials admin cisco rocks admin cisco rocks okay very nice and now this is the door this door this door what devices are currently being used to protect the networking equipment in the data center from environmental factors and physical security okay you can zoom zoom in okay for environmental protection the data center has iod monitors for for [Music] humidity this humidity monitor temperature with this thermostat air conditioner and also the the smoke detector and for physical security there are a monitored door and siren okay for physical security door and siren in the list of iod devices click humidity monitor to expand it what is the current humidity level okay click on the laptop only door is present and this is the humidity monitor 70 74 percent and now you can see the ip address is uh is not a valid ip address is the ap ipa and ip address 169 254 click here go to config and review the wireless connection this is the ssid dc underscore w lab wpi sys corrupts the this is uh ip address with is not valid go to static then dhcp okay static dhcp okay very nice 172 31013 now the humidity monitor is connected okay be sure this is aes okay and now go to the laptop and now you can see the humidity monitor 76 very nice click humidity monitor what is the current humidity level click here is about 76 percent also you can connect the thermostat config [Music] wireless 0 interface static dhcp static dhcp static dhcp okay it's not connecting again okay review the password the ssid this is static dhcp okay and now finally once i did the 3d1015 the order status is all so you can go to the laptop and go now you can see the thermostat and also you can connect the air conditioner okay verify the port status is all ssid cisco rocks this should be aes static dhcp very very good and also the smoke detector okay the ssid is the file authentication disabled okay don't worry let's go to the laptop and now you can see the air conditioner door you can open lock now unlock green okay and investigate the monetary door and siren in the list of iod devices click the door to expand it notice the open indicator is red this means that the door is closed we click here okay expand expand door please open red okay it's open so that's why the door is green because the opening is in red click siren notice the on indicator is red this means the siren is not on click the siren okay click the laptop and siren is not listed here so click the siren and config wireless port the status on ssid cisco rocks should be ies static dhcp static dhcp very nice 172 31 0 17 go to laptop okay and go go okay and go to siren and on settings this is the iod server username password very good okay and refresh connecting okay refresh connecting okay go to the laptop and now you can see the siren this is the siren and it's on but it's red notice that on indicator is red this means that the siren is not on keep the web browser window in view and locate the siren next to the door and the data center pawn okay this is the siren next to the door and notice they are connected using a cable and open the door click unlock and then hold the alt key down and left click the door okay i repeat click on unlock okay and go to the door and click unlock okay hold the alt key and left click the door okay press alt then hold alt and click the door and now you can see the siren is activated when the door is open and now you can see the siren is on green in green and that means the siren is on in the web browser window open indicator turn it green meaning that the door is open okay now the the door open is in green the siren on indicator also in green close the door again by holding down the alt key and left click to the door alt and click to the door in web browser the door click lock in the web browser the door click lock lock now and [Music] the door is in red is locked try to open the door again holding the alt key and left click door should not be open okay alt and click alt and click and the door is locked investigate the thermostat in the list of iot devices click the thermostat to expand the available features and variables what temperature will the air conditioner turn on okay and click the laptop and expand the thermostat and now auto cool temperature okay is 20 20 grades 20 20 degrees celsius okay so look at the temperature is about zero or one one grade okay about zero grades and so for now the so for now is heating okay and the air conditioner is off okay on is on red that means is off okay it's not on is off okay but so if the temperature will be more than 20 degrees the auto cool temperature will will start cooling and the air conditioner will be on green will be on will be power on okay and in the data center click thermostat config okay click the thermostat config tab wireless hero wireless0 the wireless interface what is the ip address of the thermostat this may vary but it's 172 31 0 15. maybe 16 17 but in my case 15. on the laptop close the web browser command prompt laptop close the web browser command prompt being the thermostat remember thermostat is 172 31 0 15 success pakistan 4 receive it for the pin should be successful explore the isp coffee shop and home networks navigate to isp okay but level click the isp on the middle the isp contains two routers a dns server and a central office router that connects the coffee shop and home to the internet okay two routers okay isp1 and isp2 two routers a dns server central office router and this central office router connects to the coffee shop and home to internet with these two cables navigate to coffee shop how do clients connect to the coffee shop network okay this is the cable to the coffee shop this coaxial cable but label go to coffee shop down here [Music] zoom out and look at this cable this cable goes to the isp cable type connection but how do clients connect to the coffee shop network okay assuming the clients are these laptops down here so in laptops so the answer is wireless or wireless lan what type of media is used to connect the cafe to internet this zoom out this the answer is a coaxial cable cable type connection what devices are used to create the coffee shop network click the wiring cabinet to see additional devices okay zooming click on wiring cabinet you can see a router a wireless lan controller and back level and two access points two access points click each laptop in the coffee shop config tab and wireless zero interface what ip addresses do they have okay click on the first laptop iep configuration wireless hero ap others 182 168 011 with this net mass default gateway and dns server the another laptop desktop ap configuration okay it's not connected because now you are using the api pa configuration so go to static dhcp ap api and review the connection pc wireless connect refresh connect to wi-fi 42 percent connect the pre-shared key go to the access point and access point go to config port 1 and review the password is cisco rocks okay on the pc cisco rocks connect okay link information now you are connected and then ip configuration static dhcp now 192.168013 with this netmas default gateway and dns server navigate the home network and you will configure the network later in this activity investigate the devices in the network how does the home network connect to the isp okay but level click home on the right look at this connection to the isp cable type question and zoom in and you are using some in and so the cable goes here and goes to the cable modem okay the cable goes to the cable modem and the answer is the home network will connect to the isp via coaxial cable since there is a cable model as one of the devices what devices require connectivity within the house okay the the answer is the home router the the two laptops and and two wired pieces okay implement security measures you configure wireless security for the smoke detector in the data center i built our private network vpn in the coffee shop and two wireless networks in the home configure iot smoke detector in the data center navigate back to data center click smoke detector ok go back lever go to data center go to the smoke detector on the wall click here and config tab and modify the display name use smoke detector dc1 display smoke detector dash dc1 okay dash very good and the gateway dns use dhcp dhcp very good in the iot server section modify the remote server with this ipad as 172 3102 okay remember that [Music] okay dhcp [Music] gateway ipv6 [Music] i will not use ipv6 and iod server use a remote server now remember the ip address of the iod server 172 3d102 the username admin password 6 corrupts i mean cisco rocks okay very nice and wireless zero interface wireless zero interface the wireless interface the ssid dc underscore w lamp smoke detector 0 interface ssid dc underscore wireless now wpa2 psk and cisco rocks the password cisco runs return to settings iot server connect small detector go to settings iot server ip address username password connect very good the registration server will update the default gateway and ip address of the smoke detector through dhcp okay and review the dhcp static dhcp on ipv4 very nice the default gateway go to wireless0 and now you can see ap configuration dhcp 172 31018 very nice close smoke detector dc1 click the laptop data center point of presence okay go to the laptop and remember close the command prompt open the web browser and enter this ip address of the iot server 172 31 02 go username admin password cisco rocks and now you will see the smoke detector okay and notice that the smoke detector dc1 is now added to the list of the iot devices click a small detector in the web browser the alarm indicator should be red meaning that the alarm is not activated okay it's red okay it's red is not activated create a vpn on a laptop in the coffee shop free wi-fi in business like the coffee shop is usually open meaning that there is no privacy and traffic can be easily captured to avoid that issue you will use a vpn client on one of the laptops to connect to an ftp server in the data center the tunnel created by the vpn will encrypt any data transferred between the laptop and the server the edge router in the data center is already configured for bpm navigate coffee shop click vpn laptop okay that level coffee shop down here okay zoom in click on the vpn laptop command prompt ipconfig command prompt and ipconfig ipconfig command what is the ip address assigned to this laptop 180 168 013 using this subnet mask and default gateway to speed up comprehensive packet tracer pin the vpn server which is provided by the dch router 1 1002 pink to the router time zero zero two okay this will permit the network comprehense okay try again okay destination host unreachable okay ipconfig again pinky or default getaway okay this is your ip address with pinkie or the phone gateway pin 182 168 05 success and ping to the router destination cost unreachable so use tracer to detect the the problem okay this is your default gateway okay look at this ctrl c to stop this is very good the icmp message reaches the the router try to ping okay the replay from 1002 this is because the router is not permitting the is icmp messages okay the router is using an access list and it's not permitting the icmp messages okay it's not permitting the ping okay so anyway try to configure the vpn close command prompt click bpm close command prompt click bpm this group name remote case sensitive group key cisco cost ip1002 username vpn case sensitive password cisco rocks okay and okay cisco rocks uh cisco rocks and and before to connect we review the configuration of the router go to data sender click on data center point of presence click on this router dch router 1 and remember previously you reviewed this router enter enable show running copy okay the access list is not permitting icmp messages so that's why the pink is not working this is the ip address of the interface that you are trying to ping 1002 this is the applied access list but the access list is permitting the ipsec for the vpn and also this is the configuration for the remote access vpn all these configurations and so that's why the group name is remote the group name is remote the the key is cisco the the key is cisco the user name is vpn password cisco rocks the username is vpn password cisco rocks that is encrypted and the ips1002 the ips1002 and back level and back level go to home go to the coffee shop click on vpn laptop connect vpn is connected the client ip for the vpn is this click connect and be sure your configuration is correct and the vpn configuration window now displays the client ip what is the ip address for the vpn the ipad is 172 18 150 may vary maybe 151 and so on navigate to data center and click data center point of presence dch router 1 and back level go to data sender go to point of presence go to edge router and command line interface show crypto io kmp sa okay and enable privilege executive mode show crypto isa kmp sa and now this is the client the destination the source the estate status active to display active ipsec security associations what status is listed in the output of the command active okay what destination ip address is listed in the output can you determine to which device this ip address belongs okay the destination the sources 1002 is this router this local router with the destination is the client 10 1 0 11 which is the ip address of the coffee shop router internet facing interface gigabit zero zero you can [Music] back level back level coffee shop click wiring cabinet and this is the ip address of the gigabit zero zero on the router or you can review command line interface okay and this router dhcp address assigned and gigabit 0 0 10 1 0 11. okay is this router okay coffee shop router to test the vpn return to the vpn laptop command prompt and back level click on vpn laptop close vpn command prompt ftp 172 1903 ftp 172 1903 enter you will connect to the ftp server on the data center also read ctrl c is ctrl c is 172.9 okay the user name remote password cisco rocks username remote password cisco rocks okay log it in ftp deal or ls deal okay there there is a only only one file only uh only one txt file okay ftp username remote password cisco box ftp dear command to view the contents what is the name of the file listed this is the name pdesecurity.txt enter the get comment okay download this file use the getco the get command get case ncdp security.txt enter okay transfer complete 92 bytes okay quit to exit your ftp session quit to view the contents of the to view the contents of the file close the command prompt window and open text editor close command prompt open the text editor this and file open and select this pd security dot txt okay congratulations you have successfully downloaded that this file click file open okay what is the first word in the message congratulations [Music] in the coffee shop click the other laptop and then click desktop command prompt okay click the another laptop desktop command prompt attempt to pin ftp server pick the server 172 1903 destination host reachable was it successful why or why not okay destination hosts unreachable the pink should not be successful because this laptop does not have vpn configured and the edge router in the data center is configured with an access list that denies pings on real equipment you would require a vpn service and the vpn client software loaded on the laptop use the internet to research different vpn services applications available for laptops tablets and smartphones what are three examples of vpn services applications that you could use on an open wireless network to protect your data examples of bpm applications are cyberghost ipvanish and north bpm configure secure wireless lans in the home network for the home network you will do the initial wireless setup create separate networks for the home office and guests secure each network with a strong authentication and include mac address filtering navigate to home investigate the cabling okay back leaver click home on the right and look at the cabling the cable model receives this connection with coaxial cable then connects to the home router and router connects to to pc and also goes to to another wired pc okay but look at the home router is a wireless router okay with this antennas and this is a wireless router so you can provide a wireless connection to the laptops notice that the two pcs one in the home office and the other in the bathroom use the wired connection the laptop in the office will use home office wireless lan and the laptop in the living room will use the guest wireless lan click the home router okay click the home router graphical user interface tab the router is using dhcp to automatically receive ip addressing from the internet service provider okay automatic configuration dhcp network setup section okay network setup section uh use this ipad 192.1680 254 192.168.0 254 subnet mask 24 and use this 3 divided by 2850 dhcp enable okay enable start ipl zero tank start ipad 010 and maximum number of user 25 25 here dns 10 2 0 1 25 and save settings be careful save settings save savings and click wireless basic wireless settings click wireless basic wireless settings home net is the ssid for each wireless lan and disable all ssid broadcasts okay home net case sensitive home net for each okay home ad home net and home net disable ssid broadcast disable disable disable save settings save settings then wireless security wireless security and configure the following settings for all three belongs security mode wpa2 personal wpa2 personal wpa2 personal wpa2 personal encryption aes isas very good passphrase cisco rocks password cisco rocks say scorex and cisco rocks scroll down save settings save settings and click guest network okay guest network click here and enable okay enable guest profile enable guest profile network ssid guest net case sensitive enable enable enable ssid gas net i guess not very good guess not very good guest net very good enable broadcast broadcast ssid enabled broadcast ssid enabled broadcast id enabled broadcast ssid enabled wpa2 personal aes encryption okay security mode security mode wpa2 personal wpa2 personal wpa2 personal wpa2 personal encryption aes okay yes a yes a yes password guest pass guest pass very good just pass very good guest pass very good save settings okay review guest net wpa2 okay save settings and wireless mac filter okay a wireless mac filter click here per mig mac addresses for the laptop in the home office is this okay and and wireless port use 2.4 gigahertz enable permit permit use this and zero zero column zero one column four two column two b column 9 e column 90 okay zero zero zero one four two to be nine e90 be sure to permit mac address for all three wireless lungs there is a drop down menu at the top next to the wireless port where you can switch from to that for your heart to five gigahertz one and five year hertz too okay and save settings copy this and now change to file enable permit paste save type to enable permit paste save settings okay very good and save settings home office clip the laptop and config tab okay this is the home office home office laptop click here config wireless settings necessary to access home net wireless now okay go to wireless interface comnet wpa2 cisco rocks on interface is on very good now you have the dhcp configuration 182.168010 desktop web browser okay click and go to desktop web browser under wpdsecurity.com type wpb security.com go it may take a few seconds for the web page to display if you get a request timeout message click go again okay click go again go go very nice data center public web navigate back to the home and zooming in living room okay go to the living room this is [Music] on the right the living room the guest laptop the gas laptop click config wireless 0 interface configure the wireless headings necessary to access the gas net okay the ssid very good the this is wpa2 psk okay it should be [Music] wpa2psk okay remember previously for gas configured wpa2 okay wpa and guest pass very good and this should be on static dhcp static dhcp studying the hcp okay okay so it's not receiving a valid ip address now it's using the ap ipa ip address 169 254 and the question is under ib configuration make sure dhcp is selected did the laptop receive ip addressing from the home router why or why not the guest laptop cannot connect to the network because the home router has been configured to filter based on mac addresses the mac address filter does not contain the mac address for the guest laptop navigate back to the graphical user interface on home router and correct the issue okay go to home router go to [Music] wireless and wireless mac filter okay and at the [Music] second mac address the mac address of the gas laptop so you can use this copy or go to desktop command prompt use ipconfig and ipconfight space slash or ipconfig space slash all and copy this okay and this is the bluetooth connection this is for bluetooth but i want the wireless zero this this this mac others for wireless zero and copy and verify is the same configuration of the okay so you need to add this on the home router [Music] 2.4 paste but modify the notation with columns column column column okay copy this and save now for 5 add the new mac address save settings four five save settings okay and now try to connect this and now it's connected go to interface wireless zero dhcp is 180 168 0 11. so it's connected now the guest laptop now this laptop is configured with a dhcp valid ip address and you should now see ip addressing from the pool you configured a layer on the home router okay if not toggle between dhcp and static to refresh the dhcp request okay it's now very good 182.168.11 desktop command prompt the dns server 10 to 0 125 desktop column prompt and ping the dns 10 to 0 125 success ping should be successful yes test access to any other device are this being successful why or why not okay for example ipconfig and ping your default gateway 180 168 0 254 192 160 192 168 0 254 success okay and okay and try to ping the another pc the another laptop [Music] ipconfig on wireless wireless connection when i do 168 010 click here ping 292 168 010 success okay and go to home router and go to guest network and allow guests to see each other and access the local network is enabled so that's why the guest laptop camping and other local resources but what happens if you disable this allow guests to see each other and access the local network disable this and save settings and try to ping try to ping the default gateway from the guest laptop to the default gateway pink fails ctrl c to stop try to pick another laptop okay pink fails ctrl c to stop so when you change the configuration the ping should fail this guest network was configured to not allow guests to access local resources okay according the home router according the home router configuration on the guest network test access to triple wpt security.com access should be successful okay go to the guest laptop web browser triple wpd say security.com and data center public web success very nice list all the different security approaches that were used in this situation okay positioning iot devices such as fire alarms thermostat humidifiers and air conditioners within the data center to protect devices and data from environment issues protecting access to the data center by using door locking sensors and sirens creating a vpn in a situation where free wi-fi is open to all this vpn encrypts and secures all data that uses the tunneling technology creating a guest network in the home so that guests have access to external sites but not inside information creating both the home network and guest network with a strong authentication so that it limits access to home owners and their guests establishing filtering of access to wireless networks based on mac addresses so that it limits access to specific known devices using access list to filter access to the data center networks in a situation where a real equipment is used these other suggestions that could be added to this scenario to make it more secure using biometric devices such as fingerprint or retinal scanners for entry into secure areas within the data center use a stronger passwords and passphrases for access to networks and devices a strong password should be greater than 8 characters including uppercase lowercase letters numeric digits and special characters add a vpn for the home net network to protect all home owner data traveling externally install resident links between the data center and isp so there is not a single point of failure create a second backup data center in the case of an extreme disruption of service thank you thank you very much you

Info

Channel: Christian Augusto Romero Goyzueta

Views: 866

Rating: undefined out of 5

Keywords: ensa, enterprise networking, security, automation, ccna, version 7, ccna 7, access list, acl, nat, physical mode, packet tracer, iot, server, data center, vpn, wlan, ipsec, mac, wpa2, temperature, thermostat, humidity, air conditioner, siren, door, remote vpn, point of presence, pop, router, switch, iot server, mac address filtering

Id: ajLomB3hiqM

Channel Id: undefined

Length: 84min 51sec (5091 seconds)

Published: Tue Oct 19 2021