Network Defense

The Practical Network Defense course project aimed to provide hands-on experience in configuring and hardening a corporate network to defend against potential cyber threats. Over the course of three distinct tasks, we developed and secured a simulated network environment, applying real-world security concepts and technologies.

The network topology for this environment is illustrated in the image below, which will be used as a reference throughout the descriptions of the three tasks: 

1 - Firewall Configuration

The first task focused on configuring the firewall infrastructure for the simulated corporate network. The main objective of this task was to implement a comprehensive security policy using two components: the Main Firewall-Router and the Internal Firewall-Router.

Our approach began with a careful analysis of the security policy. The policy outlined a series of rules designed to control the flow of network traffic, protect key services, and restrict access to sensitive areas of the network. The critical services to be protected included a web server, DNS server, syslog server, proxy server and vulnerability scanner. These services formed the backbone of the network and required precise control to ensure their availability while minimizing exposure to external threats.

The next step involved configuring the firewall rules on the Main and Internal Firewall-Routers. For instance, we had to ensure that HTTP and HTTPS traffic to the web service was accessible from the Internet while limiting internal services to specific segments of the network. This required creating allow-lists for traffic, configuring NAT (Network Address Translation) to control how internal hosts accessed the Internet, and redirecting traffic on specific ports.

Special attention was also given to access control. We enforced rules that limited SSH access to the internal network, ensuring only hosts within the Client network could initiate SSH connections. This approach significantly reduced the attack surface for potential intrusions. We also ensured that all internal traffic would exit to the Internet using the public IP of the Main Firewall, which provided an additional layer of privacy for internal hosts. The configuration also included restrictions on ICMP traffic, preventing ICMP redirects from being transmitted and controlling ping requests so that only DMZ hosts would respond to pings from the Internet.

Once the firewall rules were in place, we moved on to the implementation of security controls. This phase involved configuring essential services like the web server, DNS resolver, proxy, and log collection services. The goal was to ensure that all these services operated according to the security policy while being accessible to the appropriate segments of the network. For instance, internal hosts were required to use the internal DNS resolver, and the log collection system (including syslog and Graylog) was configured to receive logs from key network devices.

With the configuration complete, we conducted a series of rigorous tests to validate our implementation. We tested the availability and accessibility of the key services, ensuring that they were only accessible from the intended parts of the network.

This task provided a hands-on opportunity to implement and enforce a real-world security policy using industry-standard firewall technology. 

For a more detailed breakdown of our process, you can refer to our Report:

Firewall Configuration Report.

2 - VPN Configuration

The second task centered on establishing Virtual Private Networks (VPNs) for the simulated corporate network:

1. VPN for employees: this VPN was designed to enable employees to access the internal network remotely.

2. site-to-site VPN tunnel: this VPN provided a secure site-to-site link between the main office and a branch office.

For the employees VPN, we had the option to select from several technologies, including OpenVPN, IPSec, or WireGuard, while for the site-to-site VPN, however, IPSec was mandated.

For the employees VPN, our team decided to implement the VPN using OpenVPN due to its flexibility, strong encryption standards, and widespread use in enterprise environments. The Main Firewall-Router acted as the VPN gateway, accepting incoming connections from road warriors using the public IP of the WAN interface. We created three distinct user accounts to simulate real-world access control scenarios: Alice (operator), Bob (employee), and Charles (employee). We set up role-based access for these users, allowing Alice (operator) to access all company networks, while Bob and Charles (employees) were restricted from accessing the Internal Server network.

The second phase focused on setting up the site-to-site IPSec tunnel between the Main Firewall-Router and the Internal Firewall-Router. Our configuration process involved establishing security parameters, defining encryption algorithms, and setting up the authentication mechanism. This secure tunnel ensured that any data transmitted between the two routers was protected from interception, tampering, or eavesdropping.

With the configurations in place, we shifted our focus to testing and validation. We first tested the road warrior VPN by connecting as Alice, Bob, and Charles, ensuring that each user’s access was aligned with the policy’s role-based access control rules. We also validated the security of the IPSec site-to-site VPN tunnel, ensuring that traffic between the Main and Internal routers was encrypted and no unencrypted packets were transmitted. 

This task provided a real-world application of VPN technologies and network security concepts.

For a more detailed breakdown of our process, you can refer to our Report:

VPN Configuration Report.

3 - Network Hardening

The third and final task of the project focused on hardening the network. Unlike the previous tasks, this onerequired a more holistic approach to network security. Our objective was to protect the network from potential threats by strengthening system configurations, securing host operations, and enhancing the defenses of services already in place.

The first step in our project was to develop a comprehensive Protection Plan, serving as a strategic roadmap for implementing security measures. This process began with a thorough analysis of potential threats and vulnerabilities that could impact the network. We carefully assessed attack vectors across the key components and adopted a structured approach by dividing the tasks into three primary planes: management plane, control plane, and data plane.

For the management plane, we prioritized hardening administrative configurations and services to ensure robust protection:

• Changed the default passwords

• Switched from HTTP to HTTPS for secure access to Opnsense

• Disabled SSH connections on Opnsense to limit unauthorized access

• Configured the NTP service to maintain accurate time synchronization

• Set up Greenbone to perform periodic vulnerability scans on the network

• Allowed firewalls to send logs to the syslog server for centralized monitoring

• Implemented a Reverse Proxy for additional security

For the control plane, we focused on securing network traffic and filtering protocols:

• Limited ICMP traffic to 10 Kbit/s to reduce the risk of denial-of-service attacks

• Filtered ICMP Redirects and Unreachable messages to mitigate potential misuse

Once the security measures were in place, we proceeded with the Evaluation Phase. Each test was conducted methodically, and the results were used to assess the effectiveness of the implemented measures. If any issues were detected, we revised the configuration accordingly.

For this task, we were given significantly more freedom compared to the previous assignments. While previous tasks provided clear, detailed guidelines, this task encouraged independent decision-making. We were responsible for identifying vulnerabilities, selecting the appropriate security measures, and justifying each of our choices.

For a more detailed breakdown of our process, you can refer to our Report:

Network Hardening Report.