CompTIA Security+

Enterprise Network Security Configuration

Concepts
 Introduction
 Lab Topology
 Exercise 1 - Importance of Security Concepts in an
Enterprise Environment
 Exercise 2 - Set up a Honeypot with Pentbox
 Review

Introduction
Configuration Management
Data Sovereignty
Data Protection
Hardware Security Module (HSM)
Geographical Considerations
Cloud Access Security Broker (CASB)
Response and Recovery Controls
Secure Sockets Layer (SSL)
Transport Layer Security (TLS) Inspection
Hashing
API Considerations
Site Resiliency
Deception
Disruption
Honeypot

Welcome to the Enterprise Network Security Configuration

Concepts Practice Lab. In this module, you will be provided with
the instructions and devices needed to develop your hands-on skills.

Learning Outcomes
In this module, you will complete the following exercises:

 Exercise 1 - Importance of Security Concepts in an Enterprise

Environment
 Exercise 2 - Set up a Honeypot with Pentbox
After completing this module, you should be able to:

 Download and Install Pentbox

 Modify Proxy Server Extensions
 Test Honeypot Functionality

After completing this module, you should have further knowledge

of:

 Configuration Management
 Data Sovereignty
 Data Protection
 Hardware Security Module (HSM)
 Geographical Considerations
 Cloud Access Security Broker (CASB)
 Response and Recovery Controls
 Secure Sockets Layer (SSL)/Transport Layer Security (TLS)
Inspection
 Hashing
 API Considerations
 Site Resiliency
 Deception and Disruption

Exam Objectives
The following exam objectives are covered in this lab:

 Configuration Management
 Data Sovereignity
 Data Protection
 Hardware Security Module (HSM)
 Geographical Considerations
 Cloud Access Security Broker (CASB)
 Response and Recovery Controls
 Secure Sockets Layer (SSL)/Transport Layer Security (TLS)
Inspection
 Hashing
 API Considerations
 Site Resiliency
 Deception and Disruption
 Note: Our main focus is to cover the practical, hands-on

aspects of the exam objectives. We recommend referring to

course material or a search engine to research theoretical topics

in more detail.

Lab Duration
It will take approximately 1 hour to complete this lab.

Help and Support

For more information on using Practice Labs, please see our Help
and Support page. You can also raise a technical support ticket
from this page.

Click Next to view the Lab topology used in this module.

Lab Topology
During your session, you will have access to the following lab
configuration.
Depending on the exercises, you may or may not use all of the
devices, but they are shown here in the layout to get an overall
understanding of the topology of the lab.

 PLABDC01 - (Windows Server 2019 - Domain Controller)

 PLABDM01 - (Windows Server 2019 - Domain Member)
 PLABWIN10 - (Windows 10 - Domain Member Workstation)
 PLABKALI - (Kali Linux 2019.4 - Standalone Server)

Click Next to proceed to the first exercise.

Exercise 1 - Importance of Security Concepts in

an Enterprise Environment
Enterprise networks are usually large and complex. More devices
that you add on to them, more complexity is added. With the
enterprise network, it is critical to ensure highest levels of security.
You need to have security controls that are updated on regular
basis to ensure optimal security.
There are different methods that can add security on to a network
environment. For example, having a redundant site also ensures
that the redundant site is available even if the primary site goes
down. This is also part of the security, which is included in the CIA
triad. With the redundant site you ensure availability, which is a
critical aspect of security.

In this exercise, you will learn about various important security

concepts in an enterprise environment.

Learning Outcomes
After completing this exercise, you should have further knowledge
of:

 Configuration Management
 Data Sovereignty
 Data Protection
 Hardware Security Module (HSM)
 Geographical Considerations
 Cloud Access Security Broker (CASB)
 Response and Recovery Controls
 Secure Sockets Layer (SSL)/Transport Layer Security (TLS)
Inspection
 Hashing
 API Considerations
 Site Resiliency
 Deception and Disruption

Your Devices
This exercise contains supporting materials for Security+.

Configuration Management

Most organizations define a specific configuration for the endpoints

and servers. Keeping the configuration in the desired state is known
as configuration management. The organization, with the
configuration management process, can monitor and manage their
systems in a better way. For example, you roll out Windows
operating system on all endpoints with only Office 365. It is easy for
you to track. This is the configuration management process.
A user may need to install another application. As part of the
configuration management process, you need to approve this
change and document it. The change is now documented and can
be tracked. You can perform configuration management in a
manual way or use a third-party application to track the changes
that are made to the system configuration or if any unauthorized
application is installed.

In the configuration management process, each endpoint, server, or

device is known as configuration items, which are tracked using
Configuration Management Database (CMDB).

Several other components play a key role in configuration

management. Some of the key components are described below.

Network Diagrams
A network topology diagram is a visual depiction of a network
architecture. It uses different symbols and connections, which are
represented by lines. A network diagram can help a user
understand the layout of the network.

The network topology diagram should detail out how the network is
designed. It should mention the following (at minimum):

 Devices that are present on the network

 Connectivity between these devices
 IP addresses and names of these devices

Assume a situation in which you have joined an organization as

Network Administrator. You have been asked to troubleshoot a
network problem. Without the help of a network diagram, it would
take you a while to understand the network architecture. However,
if the network diagram is available, you can visualize the problem
quickly.

It is also important to note that network diagrams are not static. As

new devices are added or removed from the network, you should
update the corresponding diagram. Even if an IP address of a
server has changed, you should update it on the diagram.

Baseline Configuration
A baseline configuration is based on the configuration parameters
that have been set in an operating system. These parameters define
what is installed in the operating system. A baseline configuration,
once approved and rolled out, serves as a base on which changes
can be implemented.

Before a baseline configuration is rolled out, it is defined with clear

parameters and then tested. For example, an organization may have
a separate baseline for desktops, another one for laptops, and a
third one for the servers. When the baseline configuration is
created, it is tested for stability and security. Once approved, the
baseline configuration is rolled out on the systems and servers.

An administrator monitors systems and servers against the defined

baseline. If a user installs a third-party application without the
approval from the administrator, it is known as baseline
configuration deviation.

Standard Naming Conventions

An organization can follow a specific naming convention for users,
groups, endpoints, servers, and network devices. For example:

 Users: It can be combination of first name and first letter of

surname. For example, Josh Fairbanks account can be
[email protected]. Alternatively, you can also have
[email protected]. Some organizations may
follow another convention, which is the first letter of the first
name and then the surname, [email protected].
 Groups: Just like the usernames, there is no fixed convention.
An organization may simply name the groups
as plabmarketing or plabsales.
 Servers: Servers are critical and need to be clearly
distinguished between the testing, development, and
production servers. For example, a testing webserver may be
named as plab-test-web. In the similar manner, a production
webserver can be named as plab-prod-web.
 Endpoints: The endpoints may be named after their groups,
departments, or can even follow a specific series that is
defined for tracking assets. For example, plab-mkt-
josh or plab-ep-001.
  Network Devices: They can also be named using a specific
convention, such as plab-prod-wap1.

There is no specific rule about which naming convention an

organization must follow. It depends on how you want to track user
and group accounts or any other devices on the network. However,
it is critical that one convention is used throughout for all users.
Similarly, one convention for groups. Another convention can be
used for servers, endpoints, and network devices.

Internet Protocol (IP) Schema

Network configuration management is a subset of the configuration
management process. In network configuration management, you
have to keep track of network devices, their configurations, and IP
schema that is being used. It is essential for an organization to use
a specific IP schema and manage it through the DHCP server.

It is good practice to define different IP addresses for servers and

network devices. These are assigned static IP addresses. Endpoints
are also assigned IP addresses from pools configured on the DHCP
server.

When dealing with a large network with thousands of endpoints,

servers, and network devices, it is critical for the administrator to
plan the entire IP schema carefully to avoid:

 Wastage of IP addresses
 Duplicate subnets
 Duplicate IP addresses

Data Sovereignty

Each country has their data sovereignty laws, and data sovereignty
refers to maintaining the data privacy. The country’s laws specify
where the information is being stored and how it is shared and
handled. For an organization to work in a global environment,
multiple offices in different countries, data sovereignty must be
considered.

Let’s consider an example of a virtual machine in the cloud

environment. When moving a virtual machine from one geographic
location to another geographic location in a different country, you
may face the data sovereignty issues. Each country has their data
privacy laws. The data residing inside the virtual machine must
comply with the laws of the country where you are moving the
virtual machine.

Data Protection

Data security is critical to protecting data. When you refer to the

data security, you are essentially referring to confidentiality,
integrity, and availability (CIA) of the data.

 Confidentiality - Protecting the data from falling into the

wrong hands and providing access only on the need to know
basis.
 Integrity - Maintaining the accuracy and consistency of the
data. It is about protecting the data from any kind of
tampering.
 Availability - Making the data available as and when required.
It is about ensuring that the data is available as and when
authorized personnel need to access it.

There are different methods that can be used to protect the CIA of
data within the organization. For example, you can implement
encryption to protect the confidentiality of the data. Similarly, a
method like replication or fault tolerance can provide availability.

Let’s look at some of the methods for data protection.

Data Loss Prevention (DLP)

Data Loss Prevention (DLP) is a set of rules that are defined to
protect confidential and sensitive information. DLP, as an
application, contains several rules that help you define the type of
data that the users can share. For example, within an organization,
when DLP is implemented, it can scan the outbound Emails and
track if any kind of sensitive or confidential information is being
shared.

You can have a rule defined that prevents sharing of financial

reports or sharing of credit card numbers in an Email or its
attachments. Without DLP, it is not possible to track such Emails
with confidential information. However, with DLP implementation
in place, as the administrator, you can define what type of
information can the users share.

When you share information with the users within an organization,

you can set permissions, such as forward or print. For example, you
send a confidential management decision to your colleague. You,
however, do not want the colleague to forward or print this Email.
Such restrictions can be defined in the form of permissions.

The key intent of DLP is to tackle insider threats and also to meet
the regulation-driven privacy requirements. DLP has three key use
cases:

 Protect the personal information - DLP is a good tool if

your organization deals with Personally Identifiable
Information (PII), Protected Health Information (PHI), or
credit card information. These types of information are critical
and are considered highly sensitive. With the help of DLP, this
information can be protected.
 Protect the Intellectual Property (IP) - DLP can help an
organization protect its IP information. For example, if an
organization is into developing a unique product, it becomes
critical for the organization to protect the product-related
information. DLP can help in implementing protection.
 Bring Data Visibility - DLP can help you track the
information that is being used by the users. For example, you
can track who is using which information and who is sharing
or attempting to share information.

Masking
Data masking hides data by concealing letters and numbers with
different characters. After data is concealed, it is masked behind
the letters and numbers. When an authorized user accesses the
concealed data, he or she is allowed to access it.

Encryption
In most cases, individuals or organizations store data in cleartext
format. In such a scenario, if a hacker gets hands on the data, it is
vulnerable. The hacker can delete, modify, or simply steal the data.
Data encryption software enhances data security by applying an
algorithm and converts normal data into encrypted data, which can
only be read by an authorized individual. If the data is stolen,
depending on the algorithm used, the encrypted data may just be
useless to the hacker. To an unauthorized person, the cipher data
will be unreadable.

Data can be encrypted in storage and in transit.

At rest / In transit / motion / In

processing
Data can be in different stages. There are three key stages of any
data that you create or maintain. These stages are:

 Data at rest: This type of data is inactive and is either in

storage or archive. It could be data stored on a hard drive,
archived or backed up in tapes. For example, a folder with
several files that have been backed up in a tape drive.
 Data in transit/motion: This is the data that is travelling
over a network from one device to another device, which can
either be an endpoint, a server, or even a network device. For
example, if you are sending a file from your system to another
system.
 Data in use: This type of data is being changed constantly.
When you are working on a file on your system, the file is the
data in use.

To protect data at any stage, you need to ensure that it is

encrypted.

Tokenization
Tokenization is a method of replacing an actual string of data with
unique identification symbols or numbers. This way if anyone gets
hold of the string of text, they cannot decipher it. Tokenization can
be used to protect sensitive information, such as:

 Bank transactions
 Medical records
 Criminal records
 Vehicle driver information
 Loan applications
  Stock trading

Rights Management
DRM or Digital Rights Management is mainly used with music, e-
books, and DVDs. With the use of DRM, the media is protected from
cracking, reproducing, or tampering. It is up to the creator of the
media to use DRM. Any violation of DRM can result a lawsuit under
the Digital Millennium Copyright Act (DMCA).

Hardware Security Module (HSM)

Most servers themselves need to perform encryption and

decryption. However, when a server does this, a certain amount of
resources are consumed. A Hardware Security Module (HSM) is a
piece of hardware that is designed to perform cryptographic
functions. When you connect an HSM to a server, rather than
consuming the server resources, HSM is used for encryption and
decryption. Other than encryption and decryption, HSM and can
also be used for secure key generation and its management.

Some of the key uses of HSM are:

 Encryption and decryption for Public Key Infrastructure (PKI)

 ATMs
 Banking applications

Geographical Considerations

Whenever you are establishing a datacenter for your organization,

you need to consider the geographical locations carefully. For
example, you would want to ensure that a datacenter is not set
where hurricanes or floods are common. You have to consider
several points before putting up a datacenter. Some of the key
points are:

 Power availability
 Internet service provider’s presence
 Type of connectivity available
 Fiber backbone availability
 Locations of the customers
You would not put up a datacenter in a location where power is a
scarcity. It can cost thousands of dollars per month to run your
organization on power backup systems. Another example is that if
you are close to the customer, it gives them good throughput and
connectivity. Closure you are to the customers, less latency issues
there will be.

Cloud Access Security Broker (CASB)

In the simplest terms, a CASB is a mediator between the cloud

consumer and the cloud service provider. The key role of a CASB is
to bridge the security gaps from the cloud consumer to the cloud
service provider, who may be running Software as a Service (SaaS),
Platform as a Service (PaaS), or Infrastructure as a Service (IaaS).
A CASB can also extend the organizational security policies into the
cloud environment and enforce them on cloud components and
services as they are accessed. Users may be using various types of
devices, such as laptops or mobile. The same set of security
policies, which are applied in the on-premises infrastructure, can be
extended to a cloud infrastructure.

It is a known fact that organizations are quite apprehensive about

putting their data in the cloud. However, with CASB
implementation, there are enough security controls and methods
that can be applied to protect data. With a CASB, you can use a
security control, such as a Web Application Firewall (WAF) or
secure web gateways. Other security offerings that a CASB may
offer:

 Malware prevention
 Cloud governance
 Risk assessment
 Data Loss Prevention (DLP)
 User and Entity Behavior Analytics (UBEA)
 Threat prevention
 Single sign-on
 Data Encryption
 Identity and Access Management (IAM)

Response and Recovery Controls

There are several types of controls that can be used for security
purposes. Security controls can be used to detect and prevent
attacks. They can also be used to respond to a certain incident.

When an incident such as an attack or breach occurs, response and

recovery controls are used. There are several tasks that are
included in the response and recovery controls. Some of the key
tasks are:

 Creating an incident response plan

 Informing the required authorities when an incident occurs
 Perform the root cause analysis
 Implement new security controls or update the existing
controls to prevent similar attacks

Secure Sockets Layer (SSL)/Transport Layer Security (TLS)

inspection

A site that is secured with SSL or TLS, it displays a padlock in front

of the URL in the Web browser’s address bar. For example,
consider the following exhibit:

Figure 1.1 Screenshot of Microsoft website: Showing the padlock

on the www.microsoft.com website.

The SSL/TLS intends to ensure that there is a secure and encrypted

connection with the webserver. However, the concept of SSL/TLS
can work against the user. Consider an example in which a user
clicks on a phishing link to a protected website with the SSL/TLS
certificate. Since the information is encrypted, none of the security
controls can inspect traffic to determine whether it is legitimate or
illegitimate.

SSL/TLS inspection intends to verify the webpage content for

malicious content. After a user clicks on the phishing link to an
SSL/TLS-based website, SSL inspection first connects with the
webserver and verifies the contents of the webpage by decrypting it
first. After it ensures that there is no malicious content, it allows
the creation of the SSL/TLS connection to the webserver. The intent
is to safeguard the sensitive information that is sent to the
webserver.

Hashing

Humans have fingerprints that cannot be altered or changed. If you

tamper with fingerprints, it does not match the original one and
cannot be considered a match with the original. Hashes are the
same, and are equatable to fingerprints for files. When you
generate a hash for a file and change file contents, the hash is no
longer valid. If you generate a hash, you get a different hash.
Hashing is not a reversible process, and once a hash is generated, it
cannot be reversed.

API Considerations

Application Programming Interface (API) allows two applications to

connect or access an application's premium features, which
otherwise would be locked. There can be an issue with an insecure
application programming interface (API), which could lead to data
compromise when applications connect to the Internet and
communicate with other applications. With the API, the applications
exchange data with each other. To ensure data safety, you must
ensure some of the key guidelines when using APIs:

 Ensure that there is strong encryption applied

 Ensure that there are proper authentication and authorization
 Always use password hash
 Ensure that HTTPS is used instead of HTTP
 Ensure that timestamps are added to the requests being made
via API
 Ensure there is input validation on the data being added via
API
 Ensure that the principle of least privilege is adopted

Site Resiliency

Consider a network that does not have redundancy. Malware

attacks the network and brings it down. In such a scenario, it would
take a few days to get the network up and running. A single
network site does not have resiliency. To build site resiliency, you
can use different sites that help you keep your organization going
without significant downtime.
There are primarily three different types of sites that can be used
for resiliency. The first one is a hot site, which is a replica of the
original site. When a disaster strikes on an organization's main or
original site, it can always fall back on the hot site, which has the
complete infrastructure and data replicated.

It is possible to make the hot site operational in a matter of a few

hours. An organization has to put in much money to set up the hot
site to replace the original site.

The second type of site is a warm site. It is a partial replica of the

original site. An organization may take a few days to get the site up
and running. Unlike the hot site, the warm site does not have
complete data replicated and does not have a complete
infrastructure.

The third type of site is a cold site with the bare minimum
infrastructure, and it takes a longer time to make this site
operational. The organization may have to bring in servers and
endpoints and make necessary arrangements for Internet
connectivity. This type of site takes the longest time to be
operational.

Deception and Disruption

To safeguard a network, you may have to create a diversion for the

attacker. The attacker is lured away from the actual network to one
or more systems set as open systems in the diversion. This method
is called deception. You want to deceive the attacker from getting
into the organization’s network.

An attacker gets into a network because he or she wants to cause

some disruption, either bringing down the network, taking control
of servers or simply stealing data.

To save a network from a disruption, you can use several methods,

out of which using a honeypot is one such method.

Honeypots, Honeyfiles, Honeynets

Without getting to know what an attacker does, it is difficult to
understand their methodologies. Honeypots are installed to
understand the attacker’s methodologies. Along with this, a
honeypot is a server that has several data files, which are known
as honeyfiles. These files are real looking files with some data in
them, but the data does not hold any value. These files are meant to
attract an attacker.

Honeypots look like real servers. An attacker cannot tell the

difference, whether it is a honeypot or a real server. The idea is to
create deception to make the attacker believe that it is a real
server.

Honeypots and honeynets attempt to divert attackers from live

networks. They allow security personnel to observe current
methodologies used in attacks and gather intelligence on these
attacks.

In most cases, an organization installs one honeypot server.

However, it is also possible to put more than one honeypot together
and form a honeynet network. A honeynet mimics a real network
and contains several honeypots. A honeynet's purpose is the same
as the honeypot - save the real network and understand an
attacker’s methodologies.

Fake Telemetry
You would often deploy deception controls, such as a honeypot or
honeynet, on your network. Fake telemetry, which is also known as
deception telemetry, is the act of collecting information from
deception controls. Consider a scenario that you receive an alert
from the honeypot that is deployed on the network. After you
receive the alert, you know that someone is already inside the
honeypot or is attempting a connection. Based on the information
received, you have to decide on the next steps that need to be
performed.

For example, an attacker may have already started to explore data

within the honeypot. You have to decide whether you want to
mitigate or simply monitor the attacker. The fake telemetry data
can help you with such decisions by putting in automated security
controls, which may divert an attacker from a real system to a
decoy or honeypot. You can even block IP addresses from where an
attack originated in the firewall.
DNS Sinkhole
A DNS sinkhole is also known as a blackhole DNS. It is used to
prevent access to the malicious URL or any URL that the network
administrator does not want you to access. Consider a scenario in
which you receive a phishing Email and accidentally click on the
malicious URL or link in it. You would take to a malicious website in
the normal scenario, and perhaps malware gets downloaded to your
system.

DNS sinkhole protects such a malicious link or URL. The network

administrator can create a record in the DNS server and map the
malicious URL to a fake IP address, which can even display a
custom webpage showing the access to the URL is denied.

In an enterprise scenario, the firewall and the proxy server are

supposed to be the first defense line and protect from malicious and
unwanted URLs. However, if they fail to do the job, the DNS
sinkhole can be the second defense line.

Exercise 2 - Set up a Honeypot with Pentbox

A honey pot is a decoy or a trap created by organizations to attract
hackers into a computer system. One of the main objectives of using
a honeypot is to monitor the hacker exploit the system's
vulnerabilities, then subsequently learn the weaknesses of the
system and apply the necessary security measures to strengthen it
from future attacks. Another objective is to study the hacker’s
methodology. The final objective is to divert the hacker’s attention
from the main network to the decoy system.

In this exercise, you will learn how to use a program called Pentbox
to create a basic honeypot system and test it using a standard web
browser to detect an intrusion.

Learning Outcomes
After completing this exercise, you should be able to:

 Download and Install Pentbox

 Modify Proxy Server Exceptions
 Test Honeypot Functionality
Your Devices
You will be using the following devices in this lab. Please power
these on now.

 PLABDC01 - (Windows Server 2019 - Domain Controller)

 PLABDM01 - (Windows Server 2019 - Domain Member)
 PLABWIN10 - (Windows 10 - Domain Member Workstation)
 PLABKALI - (Kali Linux 2019.4 - Standalone Server)

Task 1 - Download and Install Pentbox

Pentbox is an application that can be configured as a honeypot.

Penetration testers mainly use it as it has various tools available.
Pentbox is written in Ruby language and installed on various
operating systems, such as Windows, MacOS, and Linux. The only
pre-requisite for its installation is that it requires the Ruby package.
In this task, you will download and install a program called Pentbox
then set up a basic honeypot on the Kali Linux device.

Step 1
Ensure that all the required devices are powered on. Connect
to PLABKALI. In the Enter your username text box, type the
following:

root

In the Enter your password text box, type the following:

Passw0rd
Click Log In or press Enter.

Figure 2.1 Screenshot of PLABKALI: Logging on to the Kali Linux.

Step 2
After a successful login, the desktop is displayed.
Figure 2.2 Screenshot of PLABKALI: Displaying the desktop after
the successful login.

Step 3
In the menu bar, click Terminal Emulator.
Figure 2.3 Screenshot of PLABKALI: Clicking the Terminal
Emulator icon in the menu bar.

Step 4
The terminal window is displayed. Type the following command:

wget
http://downloads.sourceforge.net/project/pentbox18re
alised/pentbox-1.8.tar.gz

Press Enter.
Figure 2.4 Screenshot of PLABKALI: The terminal window displays
the command to download the Pentbox app typed-in.

Step 5
A confirmation will be displayed to indicate a successful download
of Pentbox.
Figure 2.5 Screenshot of PLABKALI: Output displaying the
successful installation of Pentbox.

Step 6
On the next prompt, to uncompress the Pentbox files, type the
following command:

tar -zxvf pentbox-1.8.tar.gz

Press Enter.
Figure 2.6 Screenshot of PLABKALI: Typing the command to
uncompress the Pentbox files.

Step 7
The Pentbox files will be extracted in its folder.
Figure 2.7 Screenshot of PLABKALI: Output displaying the
uncompressed Pentbox files.

Step 8
On the next prompt, type the following to change to
the Pentbox folder:

cd pentbox-1.8/

Press Enter.
Figure 2.8 Screenshot of PLABKALI: Typing the command to
change the folder to Pentbox.

Step 9
On the next prompt, to run Pentbox, type the following:

./pentbox.rb

Press Enter.
Figure 2.9 Screenshot of PLABKALI: Typing the command to access
the required file in the Pentbox directory typed-in.

Step 10
From the Pentbox menu, type:

Press Enter.
Figure 2.10 Screenshot of PLABKALI: Terminal window is displayed
listing the Pentbox menu and showing the required menu option
typed-in.

Step 11
On the next menu screen, type:

Press Enter.
Figure 2.11 Screenshot of PLABKALI: The terminal window is
displayed listing the Pentbox network tools menu and showing the
required menu option typed-in.

Step 12
On the run Pentbox screen, type:

Press Enter.
Figure 2.12 Screenshot of PLABKALI: The terminal window is
displayed listing the conditions to run the Pentbox app and showing
the required menu option typed-in.

Step 13
You will get a notification that the HONEYPOT ACTIVATED ON
PORT 80.

Keep the terminal window running the Pentbox tool open.

Figure 2.13 Screenshot of PLABKALI: The terminal window displays
the auto-configuration of root privileges to run the Pentbox app.

Task 2 - Modify Proxy Server Exceptions

All devices in the Practice-Labs platform connect to a proxy server.

You need to add a proxy exception rule to ensure a successful
connection to a device found in the lab network. Without this
exception, you cannot connect and browse a web server in the local
environment.

In this task, you need to modify proxy server exceptions.

Step 1
On PLABKALI, minimize the terminal window.
Figure 2.14 Screenshot of PLABKALI: The terminal window displays
the minimize icon at the top-right corner.

Step 2
Connect to PLABWIN10. In the Type here to search text box,
type the following:

Internet Explorer

Press Enter.
Figure 2.15 Screenshot of PLABWIN10: Selecting the Internet
Explorer from the search results in PLABWIN10.

Step 3
The Internet Explorer window is displayed. At the far-right corner
of the toolbar, click the cogwheel icon and select Internet
Options.
Figure 2.16 Screenshot of PLABWIN10: Settings (cogwheel icon) >
Internet options menu-options are displayed on the web browser
window.

Step 4
On the Internet Options dialog box, click the Connections tab.
Figure 2.17 Screenshot of PLABWIN10: Showing the Connections
tab highlighted in the Internet Options dialog box.

Step 5
Under the Connections tab, next to Local Area Network (LAN)
settings, click LAN settings.
Figure 2.18 Screenshot of PLABWIN10: Connections tab on the
Internet Options dialog box is displayed showing the LAN settings
button selected.

Step 6
On the Local Area Network (LAN) Settings, ensure that
the Bypass proxy server for local address checkbox is selected.

Click Advanced.
Figure 2.19 Screenshot of PLABWIN10: Local Area Network (LAN)
Settings dialog box displays the required settings performed and
the Advanced button selected.

Step 7
On the Proxy Settings dialog box, click on the provided text box
and type:

;192.*

Click OK.

Similarly, click OK on the Local Area Network (LAN)

Settings and Internet Options dialog boxes.
Figure 2.20 Screenshot of PLABWIN10: Proxy Settings dialog box is
displayed showing the required settings performed and the OK
button selected.

Task 3 - Test Honeypot Functionality

After setting up the honeypot and creating the proxy exceptions,

you need to test the honeypot functionality. In a real-world
scenario, no one should be connecting to a honeypot. If someone is
connecting, it means that the person does not have honest
intentions.

In this task, you will test the functionality of the Pentbox honeypot.

Step 1
On PLABWIN10, the Internet Explorer window is open.

Click on the address bar and type:

192.168.0.4

Press Enter.

Figure 2.21 Screenshot of PLABWIN10: Entering the web server's

IP address in the address bar of Internet Explorer.

Step 2
An “Access denied” message appears on the web page.
Figure 2.22 Screenshot of PLABWIN10: Access denied message is
displayed when access is attempted for a restricted IP address.

Step 3
Connect to PLABKALI and restore the terminal window.

The terminal window displays INTRUSION ATTEMPT

DETECTED from 192.168.0.4:63271.

Using the Pentbox application, you have learned how honeypot

systems work.

The administrator of the system where the honeypot is deployed

can take the appropriate measures to strengthen a computer
system's defences.
Figure 2.23 Screenshot of PLABKALI: Terminal window is displayed
listing details of the attempted intrusion.
Keep all devices that you have powered on in their current state

and proceed to the review section.

Review
Well done, you have completed the Enterprise Network Security
Configuration Concepts Practice Lab.

Summary
You completed the following exercises:

 Exercise 1 - Importance of Security Concepts in an Enterprise

Environment
  Exercise 2 - Set up a Honeypot with Pentbox

You should now be able to:

 Download and Install Pentbox

 Modify Proxy Server Extensions
 Test Honeypot Functionality

You should now have further knowledge of:

 Configuration Management
 Data Sovereignty
 Data Protection
 Hardware Security Module (HSM)
 Geographical Considerations
 Cloud Access Security Broker (CASB)
 Response and Recovery Controls
 Secure Sockets Layer (SSL)/Transport Layer Security (TLS)
Inspection
 Hashing
 API Considerations
 Site Resiliency
 Deception and Disruption

Feedback

Shutdown all virtual machines used in this lab. Alternatively, you

can log out of the lab platform.