TEKA TEKI SILANG

Jawaban: 

1. Layer  2 forwarding protocol
2. Data Encryption Standard
3. Secure hash algorithmi
4. Advanced Encryption Standard
5. Diffiehellman
6. RSA
7. Generic Routing Encapsulation
8. Layer 2 Tunneling Protocol
9. 3 DES
10. IPSEC
11. PPTD
12. Message Digests

Lab 9.3.3 Troubleshooting Physical Connectivity

Step 1: Build the network and configure the hosts

a. Ask your instructor to set up a network topology similar to the one shown with a preconfigured Host-A client computer, integrated router, server, and router. Initially, correct and properly functioning cabling is used so that end-to-end connectivity can be verified. The instructor then introduces cabling problems in each scenario.
b. Problems can consist of using the wrong type of` cable between two devices (straight-through or crossover) or using a defective cable (miswired or improperly terminated). Observe device interface link lights, visually inspect cables, and use a cable tester to determine the problems. 
c. Complete steps 2 and 3 of this lab before the instructor introduces problems.

Step 2: Record the correct cable types used between devices
a. Refer to the topology diagram and record the cable type that should be used (straight-through or crossover) based on the devices being connected. Have your instructor verify this information before proceeding.
b. Which type of cable should be used from Host-A to the integrated router?

Jawaban: Straight-melalui kabel

c. Which type of cable should be used from the integrated router (router portion) to Hub/Switch?

Jawaban:  kabel Straight

d. Which type of cable should be used from Hub/Switch to Router?

Jawaban: kabel Straight

e. Which type of cable should be used from Router to Server?

Jawaban: Kabel Crossover

Step 3: Record the IP address information for the computers
a. Use the ipconfig command, or get the IP address of Host-A from your instructor, and record it here. Host-A IP address:

Jawaban : DHCP 192.168.1.x

b. Get the server IP address from your instructor and record it here. Server IP address:

c. Before starting on problem scenarios, verify end-to-end connectivity by pinging from Host-A to Server.
If you do not get a reply from the server, check with your instructor. There may be a problem with the initial hardware or software setup.

Step 4: Scenario 1
a. After your instructor sets up the problem, use visual inspection and a cable tester to isolate the problem.
b. Ping from Host-A to Server. What happened

Jawaban: Host-A tidak dapat mencapai host tujuan (Server).

c. Check the LED link lights on the various device interfaces. Write down any that are not lit.

Jawaban: Host-A NIC LED dan LED di depan saklar penerus yang terintegrasi yang sesuai dengan port mana host- Tersambung.

d. Disconnect and inspect the cable connecting the network interfaces that were not lit. Describe the problem and how you were able to identify it.

Jawaban: Masalah: salah tipe kabel antara Host-A dan terpadu router (Crossover bukan straightthrough a) Pemeriksaan secara visual bisa mengungkapkan jenis kabel yang salah berdasarkan yang diidentifikasi dalam Langkah 2. Suatu dasar kabel tester akan menunjukkan bahwa kontinuitas kawat itu baik tetapi bahwa ini adalah kabel crossover. straightthrough A kabel harus digunakan untuk menghubungkan host ke switch / hub (atau switch pelabuhan yang terintegrasi router).

e. What did you do to correct the problem?

Jawaban: Diganti kabel crossover

f. When the problem is corrected, retest and verify end-to-end connectivity by pinging from Host-A to Server. Was the ping successful?

Step 5: Scenario 2
a. After your instructor sets up the problem, use visual inspection and a cable tester to isolate the problem. 
b. Ping from Host-A to Server. What happened

Jawaban: Host-A tidak dapat mencapai tujuan host (Server)

c. Check the LED link lights on the various device interfaces. Write down any that are not lit.

d. Disconnect and inspect the cable connecting the network interfaces that were not lit. Describe the
problem and how you were able to identify it.

e. What did you do to correct the problem?

f. When the problem is corrected, retest and verify end-to-end connectivity by pinging from Host-A to
Server. Was the ping successful?

Step 6: Scenario 3
a. After your instructor sets up the problem, use visual inspection and a cable tester to isolate the problem. 
b. Ping from Host-A to Server. What happened?

c. Check the LED link lights on the various device interfaces. Write down any that are not lit.

d. Disconnect and inspect the cable connecting the network interfaces that were not lit. Describe the
problem and how you were able to identify it.

e. What did you do to correct the problem?

f. When the problem is corrected, retest and verify end-to-end connectivity by pinging from Host-A to
Server. Was the ping successful?

Step 7: Scenario 4
a. After your instructor sets up the problem, use visual inspection and a cable tester to isolate the problem. 
b. Ping from Host-A to Server. What happened?

c. Check the LED link lights on the various device interfaces. Write down any that are not lit.

d. Disconnect and inspect the cable connecting the network interfaces that were not lit. Describe the
problem and how you were able to identify it.

e. What did you do to correct the problem?

f. When the problem is corrected, retest and verify end-to-end connectivity by pinging from Host-A to
Server. Was the ping successful?

Step 8: Reflection 
a. What are some general rules to help you determine which type of Ethernet cable (straight-through or crossover) to use to connect different types of network hosts and devices?

b. Which types of problems can a cable tester detect that might not be determined by visual inspection?

Lab 9.2.7 Troubleshooting Using Network Utilities

Step 1: Build the network and configure the hosts 

a. Have your instructor set up a network topology similar to the one shown with the Host-A client computer, integrated router, server, and router preconfigured. 

b. Work from Host-A to issue commands to troubleshoot problems introduced by the instructor. 

c. All commands are issued from a command prompt window. Open a command prompt window by clicking Start > All Programs > Accessories > Command Prompt. Keep the window open for the duration of the lab.

Step 2: Record the baseline IP address information for computers and integrated router

NOTE: Perform this step before the instructor introduces problems. 

a. Host-A configuration—Issue the command that displays the IP address information for Host-A, including the DNS server, and record the information below. Which command did you use? 

Jawaban : ipconfig /all

IP address: May vary – 192.168.1.x

Subnet mask: 255.255.255.0

Default gateway IP address:  May vary – 192.168.1.1

DNS server IP address:  Will vary – IP address of Server set by instructor

DHCP server IP address: May vary – 192.168.1.1

How did Host-A obtain its IP address? DHCP from integrated router 

b. Integrated router configuration—From Host-A, open a browser and go to the integrated router GUI by entering 192.168.1.1 as the URL address. Log in to the integrated router using the default user ID and password (check with your instructor if necessary). Check the internal and external IP address information and record it below.

Jawaban :

Internal IP address: Setup > Basic Setup – 192.168.1.1

Subnet mask:  255.255.255.0

Is the DHCP server enabled? Yes assigned by DHCP server of Router – Set by instructor

Subnet mask: Assigned by DHCP server from

Router – Set by instructor

Default gateway IP address: IP address of next hop interface on Router – Set by instructor

DNS server IP address: IP address of Server – Set by instructor 

c. Server configuration—Obtain the Server IP configuration from your instructor and record the information below.

Jawaban :

IP address: Static set by instructor

Subnet mask: Static set by instructor

Default gateway IP address: Static set by instructor – IP address of next hop interface on Router

Web Server 1 protocol and name: (May vary – Live CD server name is http://server-1.discovery.ccna

Web Server 2 protocol and name: (May vary – Live CD server name is http://server-1.discovery.ccna

FTP Server 1 protocol and name: (May vary – Live CD server name is http://server-1.discovery.ccna

FTP Server 2 protocol and name: (May vary – Live CD server name is http://server-1.discovery.ccna

Step 3: Scenario 1—Diagnose Web server access 

a. After your instructor sets up the problem for this scenario, use various utilities to diagnose the problem. 

b. Open your browser and enter the name of the Web Server 1 from Step 2. What happened?

Jawaban : Host-A is unable to reach the server website 

c. Which commands did you use to diagnose the problem?

Jawaban : Browse by name and IP fails; 2. Ping server by name succeeds 

d. Report the problem or suspected problem to the instructor. What was the problem?

Jawaban : Problem: Web server software was disabled. Network connectivity tested good. DNS is working. Must be problem with the HTTP server 

e. What did you do to correct the problem, if anything?

Jawaban : Nothing student can do but report suspected problem to instructor to start HTTP server 

f. You may need to contact the instructor to correct the problem. When the problem is corrected, retest and verify access to the server.

Step 4: Scenario 2—Diagnose Web server access 

a. After your instructor sets up the problem for this scenario, use various utilities to diagnose the problem. 

b. Open your browser and enter the name of the Web Server 2 from Step 2. What happened?

Jawaban : Host-A is unable to reach the server website 

c. Which commands did you use to diagnose the problem?

Jawaban : 1. Browse by name fails. 2. Browse by IP succeeds. 3. Ping by name fails. 4. Ping by IP succeeds. nslookup for http://server-2.discovery.ccna reveals that the server name is associated with the wrong IP address 

d. Report the problem or suspected problem to the instructor. What was the problem?

Jawaban : Web server software enabled and physical connectivity present, but DNS server has incorrect name/address resolution Browser can get to web server by IP but not by name. Network connectivity tested good. Suspected DNS server could be down, but nslookup discovered bad entry in DNS table 

e. What did you do to correct the problem, if anything?

Jawaban : Nothing student can do but report suspected problem to instructor, or student can browse to http://server-1.discovery.ccna, which resolves to the correct IP address. If DNS is running stale information, solution could be to wait for information to expire and then flush tables (not possible without admin access) or redirect client to another name server 

f. You may need to contact the instructor to correct the problem. When the problem is corrected, retest and verify access to the server.

Step 5: Scenario 3—Diagnose FTP server access 

a. After your instructor sets up the problem for scenario, use various utilities to diagnose the problem. 

b. Use your FTP client (CLI or GUI) to connect to FTP Server 1 from Step 2. What happened?

Jawaban : Host-A is unable to reach the FTP site 

c. Which commands did you use to diagnose the problem?

Jawaban : 1. FTP client to server by name fails. 2. FTP client by IP fails. 3. Ping to server by name or IP fails. 4. Ipconfig on Host-A shows correct IP info. Tracert to server fails at router connected to server. 

d. Report the problem or suspected problem to the instructor. What was the problem?

Jawaban : FTP server software enabled, but physical connection to server not present FTP and ping network connectivity testing failed. Host-A IP config is OK. Traceroute indicated problem at router connected to server. Visual inspection reveals cable to server NIC is disconnected 

f. What did you do to correct the problem, if anything?

Jawaban : Connect cable to server NIC and retest to verify that this is the only problem 

g. You may need to contact the instructor to correct the problem. When the problem is corrected, retest and verify access to the server.

Step 6: Scenario 4—Diagnose FTP server access 

a. After your instructor sets up the problem for this scenario, use various utilities to diagnose the problem. 

b. Use your FTP client (CLI or GUI) to connect to FTP Server 2 from Step 2. What happened?

Jawaban : Host-A is unable to reach the server FTP site 

c. Which commands did you use to diagnose the problem?

Jawaban : 1. FTP client to server by name fails. 2. FTP client by IP fails. 3. Ping to server by name or IP fails. 4. Ping to default gateway (integrated router internal address) fails. 5. Ipconfig on Host-A shows incorrect static IP info. 6. Tracert fails at integrated router 

d. Report the problem or suspected problem to the instructor. What was the problem?

Jawaban : Problem: FTP server software enabled and physical connection present, but local host has wrong static IP address and not configured as DHCP client FTP and ping to server testing failed. The ipconfig command indicated that Host-A had noncompatibl static address. Host-A should be a DHCP client 

e. What did you do to correct the problem, if anything?

Jawaban : Configure Host-A as DHCP client, and retest to verify that this is the only problem 

f. You may need to contact the instructor to correct the problem. When the problem is corrected, retest and verify access to the server.

Step 7: Scenario 5—Diagnose Telnet server access problem 

a. After your instructor sets up the problem for this scenario, use various utilities to diagnose the problem. 

b. Use a Telnet client (CLI or GUI) to connect to the name of Server 1 identified in Step 2. What happened?

Jawaban : Host-A is unable to reach the Telnet server 

c. Which commands did you use to diagnose the problem?

Jawaban : 1. Telnet client to server by name fails. 2. Telnet client to server by IP fails. 3. Ping to server by name or IP fails. 4. Ping to default gateway (integrated router internal address) succeeds. 5. Ipconfig on Host-A shows correct IP info. Tracert to server fails at router connected to server 

d. Report the problem or suspected problem to the instructor. What was the problem?

Jawaban : Problem: Telnet server software enabled, but the wrong cable type (straight-through) used to connect the server. Server NIC and router interface are both hosts and are considered to be like devices. Should be a crossover instead of a straight-through cable, because there is no switch or hub in between Telnet and ping to server testing failed. Host-A IP config is OK and Host-A can ping its default gateway. Traceroute indicated problem at router connected to server. Visual inspection reveals cable to server NIC is wrong type 

e. What did you do to correct the problem, if anything? 

Jawaban : Replace the straight-through cable from server to router with a crossover cable and retest 

f. You may need to contact the instructor to correct the problem. When the problem is corrected, retest and verify access to the server.

Step 8: Scenario 6—Analyze TCP connections to Host-A 

a. Ask your instructor to verify that all problems introduced with the lab setup have been corrected. Using the appropriate clients, connect to the Web, FTP, and Telnet servers simultaneously from Host-A. 

b. From the command line, issue a command to display the current active TCP connections to Host-A with names of the servers and protocols. Which command did you use?

Jawaban : netstat 

c. Which named connections did you see?

Jawaban : HTTP, FTP, Telnet, and possibly others 

d. From the command line, issue a command to display the current active TCP connections to Host-A with IP addresses and protocol port numbers. Which command did you use? 

Jawaban : netstat -n 

e. Which IP addresses and port numbers did you see?

Jawaban : Should see the foreign IP address of the server and ports 80 (HTTP), 21 (FTP), 23 (Telnet), and possibly others. 

f. From the command line, issue a command to display the current active TCP connections to Host-A, along with the program that created the connection. Which command did you use?

Jawaban : netstat -b 

g. Which program executable (filename with an .exe extension) is listed for each of the connections?

Jawaban : Executables for each client (GUI or CLI) used to initiate the connection: iexplore.exe, ws-ftp.exe, ftp.exe, telnet.exe, and so on.

Step 9: Reflection 

a. When troubleshooting the problem scenarios during this lab, which troubleshooting technique did you use primarily (top-down, bottom-up, or divide and conquer)?

Jawaban : Mostly top-down 

b. Which utility or command do you feel was the most useful for network troubleshooting?

Jawaban : probably pin

Lab 8.4.3 Performing a Vulnerability Analysis

Step 1: Download and install MBSA 

a. Open a browser and go to the MBSA web page at: http://www.microsoft.com/technet/security/tools/mbsa2/default.mspx

b. What is the latest version of MBSA available

Jawaban : Currently 2.0.1 

c. What are some of the features MBSA provides?  Answers will vary – From website: “detect common security misconfigurations and missing security updates on your computer systems” 

d. Scroll down the page and select the desired language to begin the download process. 

e. Click Continue to validate the copy of Microsoft Windows you are running. 

f. Click Download Files below and select the file you want to download. (The English setup file is MBSASetup-EN.msi). Click the Download button on the right of this file. How many megabytes is the file to download? Jawaban : 11,5 MB 

g. When the File Download – Security Warning dialog box displays, click Save and download the file to a specified folder or the desktop. You can also run it from the download website. 

h. Once the download is complete, make sure all other applications are closed. Double-click the downloaded file. Click Run to start the Setup program, and then click Run if you are prompted with a Security Warning. Click Next on the MBSA Setup screen. 

i. Select the radio button to accept the license agreement and click Next. Accept the defaults as the install progresses, and then click Finish. Click OK on the final MBSA Setup screen, and close the folder to return to the Windows desktop.

Step 2: Build the network and configure the hosts 

a. Connect the host computer(s) to the integrated router, a hub, or a switch as shown in the topology diagram. Host-A is the test station where MBSA will be installed. The server is optional. 

b. Set the IP configuration for the host(s) using Windows XP Network Connections and TCP/IP properties. If the host is connected to the integrated router, configure it as a DHCP client; otherwise go to Step 1d. 

c. If the host is connected to a hub or switch and a DHCP server is not available, configure it manually by assigning a static IP address. Which IP address and subnet mask does Host-A and the server (optional) have?

Jawaban : 192.168.1.X and 255.255.255.0. Default gateway is not required but could be set to 192.168.1.1 (the default IP address of the integrated router, if present). 

IP Address : 192.168.24.09

Subnet Mask : 255.255.255.0

Step 3: Run MBSA on a host 

a. Double-click the desktop icon for MBSA or run it from Start > All Programs. When the main screen displays, which options are available?

Jawaban : Scan a computer, Scan more than one computer, and View existing security reports. 

- Pick a computer to scan 

- Pick multiple computer to scan 

- Pick a security report to view 

- Help 

- About 

- Microsoft Security Web Site

 

Step 4: Select a computer to scan 

a. On the left side of the screen, click Pick a computer to scan. The computer shown as the default is the one on which MBSA is installed. 

b. What are the two ways to specify a computer to be scanned? 

Jawaban : By name and by IP address. 

c. Accept the default computer to be scanned. De-select Check for IIS and SQL administrative vulnerabilities, since these services are not likely to be installed on the computer being scanned. Click Start Scan.

Step 5: View security update scan results 

a. View the security report. What are the results of the security update scan? 

Jawaban : See screen below for possibilities. Missing Security Updates are indicated by a red X in the Score column. Missing Update Rollups and Service Packs are indicated by a yellow X 

b. If there are any red or yellow Xs, click How to correct this. Which solution is recommended?

Jawaban : Most often to download updates and service packs from Microsoft Update website

Step 6: View Windows scan results in the security report 

a. Scroll down to view the second section of the report that shows Windows Scan Results. Were there any administrative vulnerabilities identified?

Jawaban : See screen below for some possibilities 

b. On the Additional System Information section of the screen (below), in the Issue column for Services, click What was scanned, and click Result details under the Result column to get a description of the check that was run. What did you find? When finished, close both popup windows to return to the security report. 

Jawaban : Telnet and some other services may be installed and running. Port numbers will be listed

Step 7: View Desktop Application Scan Results in the Security report 

a. Scroll down to view the last section of the report that shows Desktop Applications Scan Results. Were there any administrative vulnerabilities identified?

Jawaban : See screen below for some possibilities. 

b. How many Microsoft Office products are installed?

Jawaban : Too many, more than 10

c. Were there any security issues with Macro Security for any of them?

Step 8: Scan a server, if available 

a. If a server with various services is available, click Pick a computer to scan from the main MBSA screen and enter the IP address of the server, and then click Start Scan. Which security vulnerabilities were identified?

Jawaban : This can be a live server if the host has physical and logical access to it and organizational policies permit scanning the live network 

b. Were there any potentially unnecessary services installed? Which port numbers were they on?

Jawaban : Could include Telnet, HTTP, FTP, and so on, with corresponding port numbers

Step 9: Uninstall MBSA using Control Panel Add/Remove Programs 

a. This step is optional, depending on whether the host will be automatically restored later by a network process. 

b. To uninstall MBSA, click Start > Control Panel > Add/Remove Programs. Locate the MBSA application and uninstall it. It should be listed as Microsoft Baseline Security Analyzer 2.0.1. Click Remove, and then click Yes to confirm removal of the MBSA application. When finished, close all windows to return to the desktop.

Step 10: Reflection 

a. The MBSA tool is designed to identify vulnerabilities for Windows-based computers. Search the Internet for other tools that might exist. List some of the tools discovered. Answers will vary.

Jawab :

• Client versions of Windows, including Windows
• Windows Server, including Windows Server 2008
• SQL Server
• Internet Information Server (IIS)
• Internet Explorer
• Microsoft Office

b.  Which tools might there be for non-Windows computers? Search the Internet for other tools that might exist and list some of them here.

c. Which other steps could you take to help secure a computer against Internet attacks?

Lab 8.4.2 Configuring Access Policies and DMZ Settings

Part 1 – Configuring access policies

Step 1: Build the network and configure the hosts 

a. Connect the host computers to switch ports on the multi-function device as shown in the topology diagram. Host-A is the console and is used to access the Linksys GUI. Host-B is initially a test machine but later becomes the DMZ server. 

b. Configure the IP settings for both hosts using Windows XP Network Connections and TCP/IP properties. Verify that Host-A is configured as a DHCP client. Assign a static IP address to Host-B in the 192.168.1.x range with a subnet mask of 255.255.255.0. The default gateway should be the internal local network address of the Linksys device.

NOTE: If Host-B is already a DHCP client, you can reserve its current address and make it static using the DHCP Reservation feature on the Linksys Basic Setup screen.

c. Use the ipconfig command to display the IP address, subnet mask, and default gateway for Host-A and Host-B and record them in the table. Obtain the IP address and subnet mask of the external server from the instructor and record it in the table

 

Host	IP Address	Subnet Mask	Default Gateway
Host A	192.168.24.9	255.255.255.0	192.168.24.1
Host-B / DMZ Server	192.168.34.9	255.255.255.0	192.168.34.1
External Server	192.168.44.9	255.255.255.0	192.168.44.1

 

Step 2: Log in to the user interface 

a. To access the Linksys or multi-function device web-based GUI, open a browser and enter the default internal IP address for the device, normally 192.168.1.1. 

b. Log in using the default user ID and password, or check with the instructor if they are different. 

c. The multi-function device should be configured to obtain an IP address from the external DHCP server. The default screen after logging in to the multi-function device is Setup > Basic Setup. What is the Internet connection type?

Jawaban : wireless internet connection 

d. What is the default router (internal) IP address and subnet mask for the multi-function device?

Jawaban : IP address : 192.168.1.1 Subnet mask : 255.255.255.0 

e. Verify that the multi-function device has received an external IP address from the DHCP server by clicking the Status > Router tab. 

f. What is the external IP address and subnet mask assigned to the multi-function device?

Jawaban : IP address : 192.168.2.1, Subnet mask : 255.255.255.0

 

Step 3: View multi-function device firewall settings 

a. The Linksys WRT300N provides a basic firewall that uses Network Address Translation (NAT). In addition, it provides additional firewall functionality using Stateful Packet Inspection (SPI) to detect and block unsolicited traffic from the Internet. 

b. From the main screen, click the Security tab to view the Firewall and Internet Filter status. What is the status of SPI Firewall protection?

Jawaban : status SPI firewall protection : enabled. 

c. Which Internet Filter checkboxes are selected?

Jawaban : Internet filter yang digunakan : filter anonymous internet request, filter IDENT (port 113). 

d. Click Help to learn more about these settings. What benefits does filtering IDENT provide?

Jawaban : mencegah penyusup dari luar menyerang router melalui internet.

 

Step 4: Set up Internet access restrictions based on IP address

In Lab 7.3.5, you saw that wireless security features can be used to control which wireless client computers can access the multi-function device, based on their MAC address. This prevents unauthorized external computers from connecting to the wireless access point (AP) and gaining access to the internal local network and the Internet.

The multi-function device can also control which internal users can get out to the Internet from the local network. You can create an Internet access policy to deny or allow specific internal computers access to the Internet based on the IP address, MAC address, and other criteria. 

a. From the main multi-function device screen, click the Access Restrictions tab to define Access Policy 1. 

b. Enter Block-IP as the policy name. Select Enabled to enable the policy, and then select Deny to prevent Internet access from a specified IP address. 

c. Click the Edit List button and enter the IP address of Host-B. Click Save Settings and then Close. Click Save Settings to save Internet Access Policy 1 – Block IP. 

d. Test the policy by attempting to access the external web server from Host-B. Open a browser and enter the IP address of the external server in the address area. Are you able to access the server?

Jawaban : Ya. 

e. Change the status of the Block-IP Policy to Disabled and click Save Settings. Are you able to access the server now?

Jawaban : Tidak 

f. What other ways can access policies be used to block Internet access?

Jawaban : menggunakan proxy

 

Step 5: Set up an Internet access policy based on an application

You can create an Internet access policy to block specific computers from using certain Internet applications or protocols on the Internet. 

a. From the main Linksys GUI screen, click the Access Restrictions tab to define an Internet Access Policy. 

b. Enter Block-Telnet as the policy name. Select Enabled to enable the policy, and then click Allow to permit Internet access from a specified IP address as long as it is not one of the applications that is blocked. 

c. Click the Edit List button and enter the IP address of Host-B. Click Save Settings and then Close. What other Internet applications and protocols can be blocked? 

d. Select the Telnet application from the list of applications that can be blocked and then click the double right arrow to add it to the Blocked List. Click Save Settings. 

e. Test the policy by opening a command prompt using Start > All Programs > Accessories > Command Prompt. 

f. Ping the IP address of the external server from Host-B using the ping command. Are you able to ping the server?

Jawaban : Ya. 

g. Telnet to the IP address of the external server from Host-B using the command telnet A.B.C.D (where A.B.C.D is the IP address of the server). 

h. Are you able to telnet to the server?

Jawaban : No.

NOTE: If you are not going to perform lab Part 2 at this time and others will be using the equipment after you, skip to Step 3 of Part 2 and restore the multi-function device to its default settings.

 

Part 2 – Configuring a DMZ on the multi-function device

Step 1: Set up a simple DMZ

It is sometimes necessary to allow access to a computer from the Internet while still protecting other internal local network computers. To accomplish this, you can set up a demilitarized zone (DMZ) that allows open access to any ports and services running on the specified server. Any requests made for services to the outside address of the multi-function device will be redirected to the server specified. 

a. Host-B will act as the DMZ server and should be running HTTP and Telnet servers. Verify the Host-B has a static IP address or, if Host-B is a DHCP client, you can reserve its current address and make it static using the DHCP Reservation feature on the Linksys device Basic Setup screen. 

b. From the main Linksys GUI screen, click the Applications & Gaming tab then click DMZ. 

c. Click Help to learn more about the DMZ. For what other reasons might you want to set up a host in the DMZ? Jawaban : karena DMZ berguna untuk menambahkan lapisan keamanan untuk LAN.

d. The DMZ feature is disabled by default. Select Enabled to enable the DMZ. Leave the Source IP Address selected as Any IP Address, and enter the IP address of Host-B in the Destination IP address. Click Save Settings and click Continue when prompted. 

e. Test basic access to the DMZ server by pinging from the external server to the outside address of the multi-function device. Use the ping –a command to verify that it is actually the DMZ server responding and not the multi-function device. Are you able to ping the DMZ server?

Jawaban : Ya. 

f. Test HTTP access to the DMZ server by opening a browser on the external server and pointing to the external IP address of the multi-function device. Try the same thing from a browser on Host-A to Host-B using the internal addresses. Are you able to access the web page?

Jawaban : Ya. 

g. Test Telnet access by opening a command prompt as described in Step 5. Telnet to the outside IP address of the multi-function device using the command telnet A.B.C.D (where A.B.C.D is the outside address of the multi-function device). Are you able to telnet to the server?

Jawaban : Tidak.

 

Step 2: Set up a host with single port forwarding

The basic DMZ hosting set up in Step 6 allows open access to all ports and services running on the server, such as HTTP, FTP, and Telnet,. If a host is to be used for a particular function, such as FTP or web services, access should be limited to the type of services provided. Single port forwarding can accomplish this and is more secure than the basic DMZ, because it only opens the ports needed. Before completing this step, disable the DMZ settings for step 1.

Host-B is the server to which ports are forwarded, but access is limited to only HTTP (web) protocol.

a. From the main screen, click the Applications & Gaming tab, and then click Single Port Forwarding to specify applications and port numbers.

b. Click the pull-down menu for the first entry under Application Name and select HTTP. This is the web server protocol port 80.

c. In the first To IP Address field, enter the IP address of Host-B and select Enabled. Click Save Settings.

d. Test HTTP access to the DMZ host by opening a browser the external server and pointing to the outside address of the multi-function device. Try the same thing from a browser on Host-A to Host-B. Are you able to access the web page?

Jawaban : Ya.

e. Test Telnet access by opening a command prompt as described in Step 5. Attempt to telnet to the outside IP address of the multi-function device using the command telnet A.B.C.D (where A.B.C.D is the outside IP address of the multi-function device). Are you able to telnet to the server?

Jawaban : No.

 

Step 3: Restore the multi-function device to its default settings

a. To restore the Linksys to its factory default settings, click the Administration > Factory Defaults tab.

b. Click the Restore Factory Defaults button. Any entries or changes to settings will be lost.

Lab 7.3.5 Configuring Wireless Security

Step 1: Plan the security for your home network 

a. List at least six security best practices that you should implement to secure your multi-function device and wireless network.

Jawaban : 1) Change default values for the SSID, usernames and passwords,2) Disable broadcast SSID, 3) Configure MAC Address Filtering, 4) Configure encryption using WEP or WPA, 5) Configure authentication ,6) Configure traffic filtering 

b. Describe what the security risk is for each item. 

Jawaban: 1) Passwords are changed to prevent neighbors or other people from logging in to your router. 2) SSID should be changed to a unique name. 3) SSID broadcasting is disabled so that the SSID name is not broadcasted to others in range of your network. 4) Encryption and authentication prevents hackers from gaining access to the network and intercepting messages. 5) MAC filtering keeps unwanted computers from associating with the AP

Step 2: Connect a computer to the multi-function device and log in to the web-based utility 

a. Connect your computer (Ethernet NIC) to the multi-function device (port 1 on the Linksys WRT300N) by using a straight-through cable. 

b. The default IP address of the Linksys WRT300N is 192.168.1.1, and the default subnet mask is 255.255.255.0. The computer and Linksys device must be on the same network to communicate with each other. Change the IP address of the computer to 192.168.1.2, and verify that the subnet mask is 255.255.255.0. Enter the internal address of the Linksys device (192.168.1.1) as the default gateway. Do this by clicking, Start > Control Panel > Network Connections. Right click on the wireless connection and choose Properties. Select the Internet Protocol (TCP/IP) and enter the addresses as shown below. 

c. Open a web browser, such as Internet Explorer, Netscape, or Firefox and enter the default IP address of the Linksys device (192.168.1.1) into the address field and press Enter. 

d. A screen appears, requesting your user name and password. 

e. Leave the User name field blank and enter admin for the password. It is the default password on the Linksys device. Click OK. Remember that passwords are case-sensitive. 

f. As you make the necessary changes on the Linksys device, click Save Settings on each screen to save the changes or click Cancel Changes to keep the default settings.

Step 4: Change the Linksys device password 

a. The initial screen displayed is the Setup > Basic Setup screen. 

b. Click the Administration tab. The Management tab is selected by default. 

c. Type in a new password for the Linksys device, and then confirm the password. The new password must not be more than 32 characters and must not include any spaces. The password is required to access the Linksys device web-based utility and Setup Wizard. 

d. The Web Utility Access via Wireless option is enabled by default. You may want to disable this feature to further increase security. 

e. Click the Save Settings button to save the information. NOTE: If you forget your password, you can reset the Linksys device to the factory defaults by pressing the RESET button for 5 seconds and then releasing it. The default password is admin.

Step 5: Configure the wireless security settings 

a. Click the Wireless tab. The Basic Wireless Settings tab is selected by default. The Network Name is the SSID shared among all devices on your network. It must be identical for all devices in the wireless network. It is case-sensitive and must not be more than 32 characters. 

b. Change the SSID from the default of linksys to a unique name. Record the name you have chosen: Student Dependant 

c. Leave the Radio Band set to Auto. This allows your network to use all 802.11n, g, and b devices. 

d. For SSID Broadcast, select the Disabled button to disable the SSID broadcast. Wireless clients survey the area for networks to associate with and will detect the SSID broadcast sent by the Linksys device. For added security, do not broadcast the SSID. 

e. Save your settings before going to the next screen.

Step 6: Configure encryption and authentication 

a. Choose the Wireless Security tab on the Wireless screen. 

b. This router supports four types of security mode settings:

• WEP (Wired Equivalent Privacy)
• WPA (Wi-Fi Protected Access) Personal, which uses a pre-shared key (PSK)
• WPA Enterprise, which uses Remote Access Dial In User Service (RADIUS)
• RADIUS

c. Select WPA Personal Security Mode.

d. On the next screen, choose an Encryption algorithm.

 To secure a network, use the highest level of encryption possible within the Selected Security mode. The following Security Modes and Encryption levels are listed from least secure (WEP) to most secure (WPA2 with AES)

• WEP
• WPA
• TKIP (Temporal Key Integrity Protocol)
• AES (Advanced Encryption System)
• WPA2
• TKIP
• AES

AES is only supported by newer devices that contain a co-processor. To ensure compatibility with all devices, select TKIP. 

e. For authentication, enter a pre-shared key between 8 and 63 characters. This key is shared by the Linksys device and all connected devices. 

f. Choose a key renewal period between 600 and 7200 seconds. The renewal period is how often the Linksys device changes the encryption key. 

g. Save your settings before exiting the screen.

Step 7: Configure MAC address filtering 

a. Choose the Wireless MAC Filter tab on the Wireless screen. 

b. MAC address filtering allows only selected wireless client MAC addresses to have access to your network. Select the radio button to Permit PCs listed below to access the wireless network. Click the Wireless Client List button to display a list of all wireless client computers on your network. 

c. The next screen allows you to identify which MAC addresses can have access to the wireless network. Click the Save to MAC Address Filter List check box for any client device you want to add, and then click the Add button. Any wireless clients, other than those in the list will be prevented from accessing your wireless network. Save your settings before exiting the screen.

Step 8: Reflection 

a. Which feature that you configured on the Linksys WRT300N makes you feel the most secure and why? Answers will vary. The MAC address filter is a very restrictive method of controlling access.

Jawaban : MAC address filtering uses the MAC address to identify which devices are allowed to connect to the wireless network. When a wireless client attempts to connect, or associate, with an AP it will send MAC address information. If MAC filtering is enabled, the wireless router or AP will look up its MAC address a preconfigured list. Only devices whose MAC addresses have been prerecorded in the router’s database will be allowed to connect. 

b. Make a list of other items that could be done to make your network even more secure. Answers include configure MAC/IP filtering to control which type of traffic is allowed to flow on the network; disable unneeded services (Telnet, HTTP, TFTP, and so on).