Managing Network Settings

Virtual networks can be created not only in a cloud environment, but also in an on-premises virtualization environment. [Video description begins] A file called Ubuntu Desktop is open in VMware Workstation. It is one of the several files listed below the menu bar that lines the top of the screen. With in Ubuntu Desktop, the left pane has the option to Power on this virtual machine and another option to Edit virtual machine settings on the top left, along with drop-downs for Devices and Description below. The right pane lists Virtual Machine Details. [Video description ends] In this particular case, I've got VMware Workstation running on a computer, where I've got numerous virtual machines available. What's important here is that we can configure virtual networks to control the network visibility of these virtual machines.

 

We all know that it's very important from a security perspective that we have the option of segregating network devices on their own networks. Whether it's configuring VLANs in a switch or virtual LANs such as we're going to do here. This is a classic example of what you might expect as an exam question in terms of what might you do on a large, busy network to protect stations or servers that deal with very sensitive data. One option is to segregate them and put them on their own isolated network.

 

So let's get started here in VMware Workstation with creating a virtual network. I'm going to start by going to the Edit menu down to the Virtual Network Editor. [Video description begins] The host clicks on the Edit menu from the menu bar on top, and then selects Virtual Network Editor from it to open a dialog box. The dialog box has names and types of a few networks listed on the top, along with VMnet information on the bottom. [Video description ends] Of course, if you're using something other than VMware Workstation, the specific configuration steps will differ. But virtual networks are a common thread amongst all operating system virtualization platforms.

 

So we’ve got a couple of built-in virtual networks. Host-only which if we select that and look down below it says Host-only, connect VMs internally in a private network. [Video description begins] The host points towards the three built-in virtual networks listed with in the VM Net information section. They are Bridged, NAT and Host-only. All the options are greyed out at the moment. [Video description ends] We also have NAT, share the host’s IP address with virtual machines. You can also configure a Bridged virtual network to connect VMs directly to the external network. Now, you don't want to do that if, for instance, you’re configuring a Sandbox virtual network for testing.

 

You probably don’t want it to have a link to the real network in that case, in case something goes wrong with the testing. Now, these options down below are mostly grayed out because I haven't clicked the Change Settings button, which requires administrator privileges on this Windows host. I’m going to go ahead and do that. [Video description begins] The host clicks on the Change Settings button on the bottom right of the dialog, which closes the dialog. [Video description ends]

 

Then I can go back into the Edit menu, back into my network settings and now everything is available. Now notice we also have VMnet0, that’s the name of the first virtual network here, which is Bridged. It is connected directly to the external network. [Video description begins] The host points towards VMnet0 in the top section of the Virtual Network Editor dialog which is open on screen again. The radio button for Bridged in the bottom section, that are both selected by default. [Video description ends]

 

Now, for what it bridges through in terms of network interfaces, you can choose from the dropdown list. Usually if you’re going to run a number of virtual machines for real production use, your hypervisor host might be configured with numerous network cards for this exact purpose, maybe to link some virtual machines to specific physical networks. At any rate, [Video description begins] The host clicks on the dropdown list below the Bridged radio button. It sports options such as Automatic, Microsoft Wi-Fi Direct Virtual Adapter, and more. He selects the last option. [Video description ends] I’m going to go ahead and click the Add Network... button here. [Video description begins] The host clicks on the Add network button, just above the VMnet infomation section. The Add a Virtual Network dialog opens over the Network Editor dialog with an option to Select a network to add. [Video description ends]

 

It says Select a network to add. And we have all these pre-configured names. Let’s say VMnet10. If I click OK, it’s assigning a Subnet IP configuration to VMnet10, and notice the default has been set to Host-only. [Video description begins] The host is back on the Virtual Network Editor now. VMnet10 network is visible and in the upper section of the dialog, with the Host-only radio button selected. Two other settings, that were greyed out earlier, become available in the bottom of the dialog now. The first is Connect a host virtual adapter to this network and the second is Use local DHCP service to distribute IP address to VMs. Both the options are checked by default. [Video description ends] So this means an internal connection among all virtual machines linked to VMnet10. But of course it means there is no connection to the external network in any way.

 

Now having that VMnet10 selected down below, we also could determine if we want the host, the underlying hypervisor machine here that we're running this on, to also be connected to this network, for communication purposes. If you really only need virtual machines to talk to each other and not to this host, then you can uncheck that.

 

We also have some DHCP settings here. A small IP address range that we might want to configure to allocate to devices connected to VMnet10. I can click DHCP Settings... to give it the starting and ending IP addresses [Video description begins] The host clicks on the DHCP settings button on the bottom right of the Virtual Network Editor to open a new dialog over it. [Video description ends] and specify the lease interval for clients that receive these IP configuration settings. But I’ll accept the defaults and cancel out of that. Okay. So now what do we do? [Video description begins] The host clicks on OK at the bottom center of the Virtual Network Editor to back to the Ubuntu Desktop home page. [Video description ends]

 

Well, for virtual machines that we want to actively be connected to that newly added virtual network, we have to modify each virtual machine's network settings. So, I’m going to select an Ubuntu Desktop virtual machine here and I will click the Edit virtual machine settings over on the left. Here we have a list of all of the virtual hardware for the virtual machine, including the Network Adapter. [Video description begins] A new dialog called Virtual machine Settings opens as the host clicks on the Edit virtual machine settings option. The Hardware tab, with a list of devices is open by default. The bottom has two buttons - Add and Remove. [Video description ends]

 

Now there's only one network adapter here, but we could click Add and add multiple network adapters where needed, for this particular virtual machine. But notice this network adapter is currently Bridged.

 

Here we can link this Virtual Machine's network adapter to a NAT configuration, Host-only, or Custom. [Video description begins] The host points towards the right pane of the dialog box, that shows options including Device status and Network connection. The Network conncetion section has the three built-in networks, along with added options of Custom and LAN segment. Bridged is selected by default. [Video description ends] In this case, I can select VMnet10, which is showing here as a Host-only network. [Video description begins] The host selects the Custome radio button and selects VMnet10 from the dropdown below it. [Video description ends]

 

So I could go ahead and I could do that for this virtual machine, as well as for other virtual machines, by really repeating the same steps. Going to the virtual machine’s settings, selecting the appropriate network adapter, and specifying the network I want it to be linked to.

 

So then those virtual machines will acquire an IP address from the configured DHCP range for that virtual network, and then would be able to communicate with one another. Other virtual machines on VMnet10, but that’s about it. So that gives us a sense then of how we might be driven to the point where we realize we need to create a virtual network for isolation purposes and how we would do it specifically in this case using VMware Workstation.

 

Now we know that we can configure network segregation on a physical Ethernet switch by configuring VLANs, because usually a single Ethernet switch, everything on that switch, all the ports, is one VLAN. But we can break it up for performance reasons. If the network's too busy or to isolate sensitive stations to put them on their own network instead of essentially being in the general population, so to speak, on the network. We can also do this with software defined networks, here in the cloud.

 

So here in the Microsoft Azure portal, where I've signed in with my Azure cloud account, I’m going to click the Create a resource button and I’m going to search for virtual network. From the list, I'll choose virtual network. [Video description begins] The host clicks on Create a resource option from the Azure services and types virtual network on the search bar in the Create a resource tab. [Video description ends] And then in the marketplace screen, I’m going to click Virtual network from Microsoft and then Create.

 

Now, depending on what you’re deploying in the Microsoft Azure cloud, you might be prompted to create a network, when you deploy another service. Here, we're proactively creating the virtual network first.

 

Now this is really similar to what you would do on-premises. You don't just magically decide out of the blue for no reason to create a new network. There has to be a defined reason. Maybe you’re setting up a Sandbox for testing and it should have no connectivity to other networks. Or you need to deploy a couple of database servers that serve as the back end storage for a web app. Whatever the case might be, you have to carefully plan out the need for the network and then things like whether it should support IPv4 or IPv6 and what those address spaces will look like.

 

[Video description begins] The Create Virtual network page is open on its Basics tab. It requires project details such as Subscription and Resource group on top and Instance details such as Virtual network name and Region on the bottom. Previous, Next, and Review + create button are available on the bottom right. [Video description ends]

 

So this will be deployed in a resource group that I already have called HQ for headquarters. Resource groups in the Azure cloud simply organize related cloud objects or cloud resources together. You can have as many resource groups as you want. So I'm just going to put this in HQ. So I'll come up with a unique name. For example, vnet-app1db1 If you're using cloud computing for production use or even for testing purposes, you really need to be organized.

 

It's very easy to end up with sprawl in the cloud. Too many things created because it's so quick and easy. No one followed any rules for nomenclature. You really should have a consistent naming standard for this put in place. So I'm going to create this virtual network in the US East region, assuming that's the locale where it will be used or accessed by users or other services. I’ll click the next button which takes me to Security. [Video description begins] The security tab is now open within the Create virtual network page. It has options to Enable Azure Bastion and Enable Azure Firewall. Both are unchecked at the moment. [Video description ends]

 

We can use the Azure Bastion service as a jump box solution for virtual machines deployed into this virtual network. What this means is that it will allow us to remotely manage virtual machines with those virtual machines only having private IP addresses. Unless you absolutely need it, do not make your virtual machines publicly visible on the internet. So Azure Bastion would allow us to do that.

 

I can configure it now with this check mark or after the fact. I'm not going to configure that now. We can also configure the Azure Firewall service to control network traffic into and out of the virtual network. But again, I can do that after the fact as well.

 

I’ll click Next to go to the IP addresses part of this configuration. It automatically suggests one of the private reserved IP address ranges for IPv4, 10.0.0.0/16 I can change that. I can add as many address spaces as I want, and down below it automatically created a subnet called default.

 

Now notice you’ve got little trash can icons. You can delete these and configure this as you see fit. Either now or after the fact. Maybe you want to add an additional private IP address space beyond the 10.0.0.0. I’m okay with these defaults. I’ll just click Next.

 

I'm not going to tag this. Tagging is just metadata. [Video description begins] The host doesn't change anything on the Tags tab. [Video description ends] Maybe to tie it to a project or a department or something like that. I’ll click Next and on the Review + create screen, it’s going to validate my selection. Here’s a summary of my options. I'll just click Create to create the virtual network. Okay. [Video description begins] The host clicks on Create from the bottom right of the screen. [Video description ends]

 

Before too long, the deployment is complete. So we can click Go to resource to look at the properties of our newly created VNet. At any time though, here in the Azure portal on the left hand side, we can click on All resources and this will list as it says, all resources.

 

So if I filter by name, let’s say type in vnet, there’s vnet-app1db1, that is what we just created. [Video description begins] The host types vnet in the filter blank next to left navigator, on the top. The filtered resources become visible on the bottom. vnet-aap1db1 is one of them. [Video description ends] So we can open it up at any point in time to get into its properties. [Video description begins] The vnet-aap1db1 tab is open. The cursor is on the settings visible on the left menu include options such as Address space, Connected devices, Subnets and more. [Video description ends] This is where after the fact, as I mentioned, I could click Address space on the left. Here's the current address space, but I could add additional address ranges if I so choose.

 

I could click Subnets then to create subnets within the configured address spaces. If there are any devices connected to the subnet, I would see them when I click Connected devices. So, for example, if I go to another existing virtual network and click Connected devices, notice I have a bunch of network interfaces from a variety of services such as virtual machines that are attached to this particular VNet.

 

We might as well stay in this VNet’s properties. It doesn't really make a difference. We can also configure Azure Bastion afterwards, as we said, to allow remote management without exposing VMs with the public IP to the internet. We can also ensure that we enable DDoS protection, distributed denial-of-service attack.

 

[Video description begins] He scrolls down the left Settings menu to reveal more settings like Bastion, DDos protection, Firewall, and more. [Video description ends]

 

When you do that, you have to choose what's called a DDoS protection plan. So that's something else that you would create outside of this. And depending on how you configure your DDoS protection plan, will determine how much it will cost for this type of protection. So you always need to make sure you explore the pricing for these things to ensure that it's cost effective and it's worth doing. We have the Azure Firewall options available by clicking Firewall on the left, so we have a link to add a new Firewall.

 

And ultimately, if I just go back Home here for a second and Create a resource, if I were to create a virtual machine, one of the things we must specify here, I’ll just skip ahead by clicking Networking at the top. We need to specify the virtual network where we want to deploy this virtual machine. So there’s our vnet-app1db1 VNet.

 

Of course, as I mentioned, you can also opt to create a new one here while you are deploying a new virtual machine. Either way, [Video description begins] The host points to the Create New option below the blank next to Virtual network in the Networking tab of the Create a virtual machine window. [Video description ends] we just want to make sure that we plan these things carefully and only have deployed resources for what we actually need and use. Otherwise you're just increasing the attack surface unnecessarily.

 

So here in the Microsoft Azure portal, I’m going to start by going to my Virtual machines view. I’ve got a virtual machine here called Ubuntu2, so it’s running the Ubuntu Linux distribution, and it’s up and running. If I click on that virtual machine, I can click on Networking on the left to expose its network configuration, like its virtual network interface, its public IP as well as its private IP.

 

[Video description begins] The host clicks on Virtual machines from the services on the top to open the Virtual machines tab. It has two virtual machines listed. [Video description ends]

 

I should probably say it again just to get the point across. We don’t want to have public IPs exposing our virtual machines directly to the internet unless there is a specific need. That need might be because it is actually hosting a public facing web app directly in the virtual machine. Or perhaps you're testing or setting up a honeypot to attract or lure attackers in thinking that there's a vulnerable host. You want to be careful when you're doing that as well, of course.

 

But I want us to take note here of the public IP, which starts with 40 and the private IP, which starts with 10. What’s interesting about the public IP is that it is its own resource. It’s its own object in the cloud that gets associated with that virtual machine network interface, which we can of course dissociate. There’s a Dissociate button up there. [Video description begins] The host clicks on the NIC public IP link on the top of the virtual machine tab to open a new tab dedicated to the public IP address. He points towards the dissociate button on the top of the tab's right pane. [Video description ends]

 

Now let's see how that translates when we take a look at IP addressing in the Linux OS in this particular case. Okay. [Video description begins] A Linux file called cblackwell@Ubuntu2: ~ opens up on screen. [Video description ends] So here in that virtual machine, if I were to type ip a to show the interfaces and IP addresses. Notice for Ethernet 0, eth0 we’ve got the private IP which has a prefix of 10.0.0 but there is no reference for eth0 to the public IP address that starts with 40. And it shouldn’t show up here.

 

The private IP address is internal in the OS. The public IP is external. Remember, it's its own object that gets associated with the virtual machine network interface. Okay, but who really cares?

 

Well, we're going to care if we've got some threat indicators pointing to the public IP of this virtual machine, but we have no record of that within the OS. We have to be able to think about the fact that, oh, it’s a virtual machine. That public IP address is an external entity.

 

It’s another object associated with the VM. It doesn’t show up here in the OS. This is going to be very important for us to know. Of course, everything in the cloud, every individual object, like a public IP address, a network interface, the virtual machine has their own listing of logged events that we can also pore through looking for anomalies or potential security problems.

 

So within the Linux OS here, we know we can type ip a to view the IP addresses, but other things that we should be aware of, such as if we go into the /etc/netplan directory, in this case in Ubuntu Linux.

 

And if we do an ls here, we’ve got a YAML file for the configuration of the networking of this host. [Video description begins] The host runs a clear command to clear the screen to run a /etc/netplan command, followed by an ls command. A code line that reads 50-cloud-init.yaml is returned. [Video description ends] If I cat that file to display its contents, notice the syntax here breaks down our ethernet interface called eth0 and dhcp4 is set to a value of true. dhcp6 for IPv6 is set to false. Okay. So it’s just simply using DHCP, But let's take a look at where that actually happens in the Microsoft Azure cloud.

 

Back here in the Azure portal, if I go back into the networking for my Ubuntu2 Linux virtual machine, it’s been deployed into a VNet that we can click on here. There’s a link. [Video description begins] The host points to the Virtual network/subnet link just below Network interface on the right pane. [Video description ends] If I click on that VNet I can then go to Subnets to see which subnets are configured because this means that by default virtual machines in this subnet will acquire an IP address within that range. So DHCP is implied automatically.

 

Now that’s great from a configuration standpoint. Why do we care as cybersecurity analysts? Well, of course, first of all, we need to know how this stuff works because how could you possibly trace things out that look suspicious if you don't understand how it works?

 

For example, if we get a notification that a host that has always been on the network has suddenly changed its IP address, we need to be able to trace that back to the source. In other words, where is it getting its IP?

 

We need to know what to do because maybe, for example, this particular virtual network in the cloud, maybe this one object was compromised by an attacker and they started changing some of these subnet IP address ranges. It's possible. So the more we know as security analysts, the better.

 

Let's take a few minutes to cover how Windows IP addressing works. [Video description begins] The desktop is open in Windows Server 2019. [Video description ends] Here I’m using Windows Server and I’m going to begin by going into my Settings. Here I’ll go to my Start menu where I will then open up the Control Panel.

 

I’m interested in going to Network and Internet. Now, these categories may appear differently on your screen depending on the version of the Windows Server OS you're using. And if you’re viewing by category or by small icons, large icons, and what not.

 

But in the end, I'm going to go into my network settings, then I’m going to click Change adapter settings over on the left. [Video description begins] The Network Connections tab opens with a single file called Ethernet0, on the top left. [Video description ends] So all of the network adapters known by your Windows OS will be shown in this list. Whether it's a wired connection such as an Ethernet adapter or perhaps it's a VPN virtual adapter, maybe it's a Wi-Fi adapter.

 

Either way, we can right click on an adapter in Windows and go into the properties of it. In here we have a number of network components we can determine that should be enabled, like File and Printer Sharing for Microsoft Networks. But the reason we’re really here is to talk about TCP/IP.

 

Now notice we’ve got IPv4, Internet Protocol Version 4, which is enabled. The check mark is turned on. It's also turned on for IPv6. If I were to go into a command prompt on this same machine and issue the ipconfig command, notice our interface Ethernet0 is shown here. [Video description begins] The host runs an ipconfig command in the Command Prompt that is now open on screen. Six lines of code appear below Windows IP Configuration. The first four lines are - Line 1: Ethernet adapter Ethernet0: Line 2: Connection-specific DNS Suffix : Line 3: Link-local IPv6 Address: fe80::fd3e:b1fc:d547:e73%6 Line 4: IPv4 Address: 192.168.2.167 [Video description ends]

 

We’ve got our IPv4 Address shown, but we’ve also got our Link-local IPv6 Address. You might remember that a link-local address is automatically assigned when IPv6 is active on a host and it always has a prefix of fe80. It’s used by IPv6 internally to communicate on the network, although if you actually assign an IPv6 address, you can expect it to be seen here. In addition to the fe80 address. We'll see that in a moment.

 

Back in our Ethernet0 properties, if I were to open up the properties of IPv4, this is where we can determine if DHCP is being used.

 

[Video description begins] The host clicks on the Internet Protocol Version 4 (TCP/IPv4) to open a new dialog box. General properties are displayed. It has two radio buttons on the upper part - Obtain and IP address automatically and Use the following IP address. The latter has options to add details like IP address, Subnet mask, and Default gateway manually. [Video description ends]

 

So if Obtain an IP address automatically has been selected. But here what’s been selected is Use the following IP address. The IP address, the Subnet mask, and the Default gateway which is the router, the path out of the LAN, have all been specified manually.

 

When you're doing this, you have to make sure that this addressing has been planned out properly ahead of time. For example, you want to make sure that you're not going to collide with another host on the network, on the same LAN, using the same IP. The Subnet mask must correctly identify which part of the IP address identifies the network, and the Default gateway, of course, must point to a valid router interface. [Video description begins] The lower part of the IPv4 properties dialog box displays similar options for a DNS server - Obtain DNS server automatically and Use the following DNS server addresses. An Advanced button is available on the bottom as well [Video description ends]

 

Now, if we’re using DHCP, the DNS name servers can also be handed out, but here they've been specified manually. Notice the first entry here is 127.0.0.1 in IPv4. That's the local loopback address. What that means is that we want to first use ourselves, this local host, as the DNS server. And sure enough, if I were to go into my Start menu on this server under Windows Administrative Tools and then down to the Ds, there’s DNS. This machine is in fact a DNS name resolution server. [Video description begins] The DNS window opens. It has a DNS pane on the left and a Name pane on the right. The host points to a file in the DNS pane. [Video description ends]

 

If I expand that, I can see any forward lookup zones with any potential records within that zone. And if I were to right click on the DNS server shown on the left hand panel and go into Properties, we can also get a list under the Root Hints tab of root hint servers on the internet for DNS. In other words, the default is that any clients pointing to this DNS server that try to do, for example, an internet name resolution, even though this server might not be able to perform it, it knows about the root servers on the internet that can. [Video description begins] The host cancels out of the DNS window to get back on the IPv4 properties dialog box. [Video description ends]

 

Now notice we also have an Advanced... button back here in our Ethernet0 Properties for IPv4 Settings where we can click Add... and add multiple IP addresses.

 

[Video description begins] A new dialog box opens when the host clicks on the Advanced button. It has the IP settings tab open by default, with options to Add, Edit, and Remove IP addresses in the upper section. [Video description ends]

 

There might be times if you're hosting multiple websites, for example, on a single host, where you want to add multiple IP addresses to a host, even though it might only have one network interface. Now that’s IPv4.

 

If we go into IPv6, it’s all been set to Obtain an IP address automatically. [Video description begins] The host cancels out of the IPv4 properties to get back to the Ethernet0 properties to click on Internet Protocol Version 6 (TCP/IPv6) to open another dialog box, with the same options as the IPv4 properties. [Video description ends] So through DHCP, but we can override that. I’m going to click Use the following IPv6 address and I’ll specify a valid IPv6 address. Now remember, each segment of four characters is separated with a colon in IPv6, and each character can be hexadecimal.

 

Which means 0 through to 9 and then A through to F, where A would be for 10 and F would be for 15. Of course, like IPv4, this has to be planned out properly in terms of IP addressing.

 

Whether you're obtaining the IP address automatically or filling it in here manually. I’ll set the Subnet prefix to 64 bits. The preferred DNS server here in IPv6 notation, points to this host itself. So IPv4 remember that was 127.0.0.1 IPv6 the same equivalent is ::1 We can click Advanced... and add additional IPv6 addresses also.

 

I’ll just click okay, and okay, let's go back out to the command prompt where we were earlier. I'm going to issue the ipconfig command again. Notice that in addition to our Link-local IPv6 Address, our newly configured IPv6 Address shows here also. [Video description begins] The host is back on the Command Prompt. A new set of code lines appears on screen after he runs the ipconfig command again. They read as Line 1: Ethernet adapter Ethernet0: Line 2: Connection-specific DNS Suffix : Line 3: IPv6 Address: 1111:2222:3333:4444:5555:6666:7777:8888 Line 4: Link-local IPv6 Address: fe80::fd3e:b1fc:d547:e73%6 Line 5: IPv4 Address: 192.168.2.167 [Video description ends]

 

Now this is important to know from a technical standpoint for TCP/IP, but it's also important from a security standpoint because one of the things that we will depend on when viewing logs, looking for anomalies, are things like IP addresses that might change over time. And we certainly have to have a strong understanding of where IP address configurations come from.

 

In this demonstration, I will be configuring cloud IP addressing. Now, this is important to know because we have to have a sense of where IP addresses come from when it comes to reviewing security logs or getting alarm notifications of potential suspicious network activity. [Video description begins] The Microsoft Azure home page is open. It has Azure services listed on the top and Resources lining the bottom. [Video description ends] So in this case, we’re talking about the Microsoft Azure public cloud.

 

The first thing I’ll do here in the left hand navigator is select All resources. A cloud resource is just an object in the cloud, like a virtual machine or a storage account or a network interface, even a public IP address. For example, here in the All resources view, the Type is set to equal all. So we're seeing all types of resources.

 

I'm going to filter this list by clicking right on that. All I want to see is network stuff, so Network interfaces and Public IP addresses. I’ll choose Apply. [Video description begins] The host clicks on the Type equals all filter above the resources list, selects the options mentioned by him, and clicks on apply on the bottom right of the filter dialog box. The filtered resources become visible on screen. [Video description ends] So here I have a number of public IP addresses and network interfaces.

 

If I were to open up, let’s say a public IP address, in its properties, I can see if it's been associated with an existing virtual machine network interface. I can choose to Dissociate it. [Video description begins] The cursor points to the Dissociate option on the top menu bar of the IP address tab. [Video description ends] However, what we're going to be doing here is creating a new public IP address resource. So we can choose Create. [Video description begins] The host clicks on the create option on the top left of the All resources tab. [Video description ends]

 

I’m going to search for public IP address. Now, this can happen automatically when you deploy a new virtual machine, but we're going to go ahead and do it this way. [Video description begins] The host makes the search on the top right of the Create tab to open the Marketplace up. [Video description ends] So I’ll select Public IP address under Microsoft and then I’ll click on Create. [Video description begins] The Create public IP address tab opens up. It requires Project details such as Subscription and Resource group. [Video description ends] I’ll have to assign it to a Resource group, whether I select an existing one like I will or whether I create a new one.

 

Resource groups, of course, just organize related resources, much like a folder would organize files on storage media. Down below, I'll specify the region, in this case East US and the configuration name. I’m going to call it PubIP172. This will be a public IP address. Down below we get to select which version will it be, IPv4 or IPv6. I’ll leave it on IPv4. And for the IP address assignment down below, notice it’s set on Static. So this will be an unchanging public IP address, which is exactly what you need sometimes, such as for a network service that should always be available on the network.

 

I won’t select anything else here. I’ll just click Review + create. [Video description begins] The host clicks on the Review + create option on the bottom of the page. [Video description ends] The validation has passed, so I'll click Create to create our public IP address resource. [Video description begins] He clicks on create on the bottom of the page to open the Publick IP Address overview. [Video description ends] Once that's done, I can go to the properties of the resource, but I'm going to click on the All resources view instead.

 

Let's just filter this only for IP addresses, specifically Public IP address. Apply. [Video description begins] The host clicks on the Type equals all filter again to open a dialog, and select public IP address from it. [Video description ends] There it is, PubIP172, our public IP address. If I click on it to open up its properties, notice that the Associate button is available, but the Dissociate button is grayed out because it’s not yet been associated to anything. So I can click the Associate button. [Video description begins] The host clicks on the Associate button on the top right of the PubIP172 page to open a window on the right. It has options to assign Resource type and Network interface to the IP address. [Video description ends]

 

I can associate this public IP with a Load balancer or a specific Network interface, which I can choose from the list. So under the heading Can be associated with this network interface, I've got a network interface available.

 

Notice that the other ones are shown under the heading Cannot be associated with this network interface, because as you might guess, they're already associated with public IP addresses. So I’m going to go ahead and select that and choose OK.

 

But you want to think carefully about this. We know that there is a security risk by exposing virtual machines directly to the Internet with a public IP address which is shown over here on the right. We’re on the Overview page next to the IP address field. That's only one aspect of addressing.

 

Let's not forget that if we were, let's say in our left hand navigator, go to our Virtual networks view, we could open up the properties of our virtual network where the address space is exposed. [Video description begins] The Address Space tab of a virtual network opens. It displays Address space, Address range and Address count. [Video description ends]

 

Now this address space is used by the subnet or subnets defined under the Subnets view. Here we’ve got a default subnet with an IP address range. [Video description begins] The host point to the Subnets option in the left-hand navigator of the virtual network. [Video description ends] [Video description begins] The host clicks on the default subnet to open the default window on the right. [Video description ends]

 

So through DHCP resources like virtual machines deployed into the default subnet will receive an IP address in this given range with the 24 bit subnet mask. One way a malicious actor can choose to disrupt network connectivity is to change these types of items. Basically configure them incorrectly.

 

If they can gain access to this type of configuration in the same way that if [Video description begins] The host cancels out of the default window. [Video description ends] a DHCP server on-premises is compromised, it can wreak havoc on the network if it's intentionally misconfigured.

 

If I go into the properties of a virtual machine and click on Networking on the left, this of course is where I will see the public IP address affiliation and the private IP address affiliation.

 

All of these things are links in terms of resources. So I can click on the public IP and I can choose to Dissociate this public IP from that virtual machine. If I were to do that, I would have to think about how I was going to manage this virtual machine remotely.

 

Perhaps it would be by remoting into another virtual machine on that network with a public IP from which I could then use the private IPS to manage those hosts. Or I could use a VPN connection into the cloud, or I could use a jump box server like the Azure Bastion service.

 

So it's important from a security standpoint to understand how routing works, which lends itself to explaining traffic flows, which in turn will allow us to determine if there is abnormal traffic flow beyond what we might have established as normal with a network traffic baseline. [Video description begins] The AWS Management Console Home is open. [Video description ends]

 

In this example, we’re going to be using Amazon Web Services, or AWS, just for something different. So I've already created an account in AWS and I’ve signed in to the AWS Management Console. So in the search bar at the top, I’m going to search for EC2.

 

EC2 is where I work with my virtual machines in the cloud. [Video description begins] The host clicks on the first option from the search results and opens the EC2 dashboard. It has a navigator on the left, and resources on the right. [Video description ends] I’ve already got an instance or a virtual machine running called Ubuntu4 [Video description begins] The host clicks on one of the EC2 resources listed called Instances (running) to open the Instances window. An instance called Ubuntu4 is visible, with an Instance ID, which is also a link, next to it. [Video description ends] and if I click to open up that instance ID which takes me into the properties of it, notice it does have a public IP address starting with 52.55

 

Now here on my local computer I’ve popped up puTTY. I've installed the free puTTY tool for remote management over SSH for that IP address, 52.55 and whatnot.

 

Also here in puTTY on the left under connection, SSH, I have specified under Auth the Private key file for authentication. We know that you can have public and private key pairs tied to Linux hosts where the public key is stored on the server, the private key is stored in the admin station, and you would have to have a username and the private key in your possession to sign in. So that’s fine.

 

However, if I try to connect to my AWS Ubuntu Linux instance, the one we were just looking at in the background, by clicking Open, [Video description begins] The host selects AWS Ubuntu4, visible under Saved Sessions in the Sessions window of the PuTTY configuration dialog, and then clicks on open to have a black window appear on screen. [Video description ends] it feels like it's going to time out. Now usually that's because of a firewall configuration where maybe it’s not allowing port 22 SSH traffic, or it's a routing issue, it doesn't know how to get there.

 

Let’s examine the network setup in AWS. There it is. Network error : Connection timed out. Okay, it’s not finding a way to get there. [Video description begins] A PuTTY Fatal Error dialog box pops up which the host cancels out of. [Video description ends] Back here in my instance details, I’m going to scroll down because I can click the Networking tab to get to the network config for this virtual machine.

 

So it's got a public IP as we know, it's got a private IP. It's also been deployed into a specific subnet. So we have a link here for the Subnet ID. [Video description begins] The cursor is on a link below the Subnet ID displayed in the left column of the networking pane. [Video description ends] Well, let's take a look at the subnet. So I'll click on it.

 

It opens up in a new browser window. Let me just click to open up its properties. Notice that subnets here in the cloud can have a Route table associated with them and the route table is shown here with its ID and it's also a link. [Video description begins] The cursor is on the link below the Route table option under the third row of the subnet details section. It is towards the left of the screen. [Video description ends] I'm going to click on that route table.

 

Let’s open it up to view the routes within it. Alright. What it has is a route to itself, its own network. It's a local target. But let's think about this. We've got a virtual machine deployed into this subnet.

 

But where’s the route to get traffic to and from the Internet? There is no route for that. As in the default route for IPv4 0.0.0.0/0 Now here in AWS, if I go to the Internet gateways view on the left, I have an Internet gateway and it's attached to a VPC, a virtual private cloud, which is just a virtual network. Okay, so that's fine. There's the VPC. [Video description begins] The host clicks on the Internet gateway ID on the Internet gateways tab. It is a link which opens a new tab. This tab has a VPC ID link that the cursor now points to. [Video description ends] This is the VPC, which is tied to the subnet where we're looking at.

 

So let's get back to our route table. I’m just going to click the route table’s link on the left. So the solution to this problem where we can't seem to SSH into the Linux host can be solved by adding the appropriate routing information.

 

So I'm looking at the routes, I'm going to click the edit routes button and I'm going to add a route. [Video description begins] The host clicks on the Edit routes button on the right of the Routes tab. [Video description ends] [Video description begins] He clicks on the Add button on the bottom left. The option to add a Destination and Target appears. He clicks on the Destination blank to open a dropdown. [Video description ends] Now for IPv4, we know the default route is 0.0.0.0/0 IPv6, if that’s what you’re using would be ::/0 At any rate, I'm going to add that for the target.

 

I'm going to choose Internet Gateway in AWS. That's what lets you get traffic into and out of the Internet. And I’m going to select the Internet gateway we were just looking at and that's it. Save changes. [Video description begins] He clicks on save changes on the bottom right. [Video description ends]

 

So without changing anything else, let's fire up puTTY again and see if we can get in. So I'm back in puTTY. I’m going to load up the settings for my AWS Ubuntu Linux instance. I’m going to click Open. This time, in asks me to login. Well that's just good news right away.

 

The default username here is ubuntu and I’ve got my private key pair associate. Oh yeah. Look at this. We are in. So that's an example then of what to think about when it comes to cloud routing here on the Windows platform.

 

Let’s also not forget that we can issue commands like ipconfig which will show us IP address information as well as our Default Gateway.

 

[Video description begins] The host opens the command prompt to run the ipconfig command. He points to the line of code that mentions the Default Gateway under the Wireless LAN adapter Wi-Fi which holds the value 192.168.2.1 [Video description ends]

 

So here in this operating system, this is an on-premises Windows laptop, the default gateway is pointing to the router interface on this local area network which will get traffic out of this LAN and out onto the Internet, presumably. And that’s what this does in this case.

 

And also allow traffic back in. This configured default gateway won’t do that. But the router itself, being configured correctly. And also remember that you can also issue the route print command in Windows to get a listing of all of the routes known by this client machine.

 

It's broken down by network adapter, but one of the most common things that technicians will check here is the default route, again for IPv4 0.0.0.0 [Video description begins] The host points to the Network Destination and Gateway that show up under Active Routes after he runs the route print command. [Video description ends] and what it’s pointing to, to get traffic out of the LAN.

 

We've talked about DHCP from a central IP configuration perspective as well as DNS from a name resolution perspective. These are network services that are widely used pretty much on every network out there, whether it's a personal home network or an organizational or enterprise type of network.

 

And so because it's so widely used, we need to make sure we take the steps that are necessary to secure the use of DHCP and DNS. And that's what we're going to talk about here. DNS and DHCP security. The first obvious thing to consider is just hardening [Video description begins] The Windows Server Desktop is open. [Video description ends] the devices where DHCP and DNS is working in the first place.

 

For example, if I've got DNS or DHCP running on the Windows platform, as I have open here, one of the many things we can do to harden this computer would be to use Firewall settings to limit the traffic that can get to the machine. So Inbound Rules. [Video description begins] The host opens the Windows Defender Firewall with Advanced Security application. The home page displays three panes. The left has options such as Inbound Rules, Outbound Rules, Connection Security Rules and more. Inbound Rules is selected. The middle pane is populated with a number of files. [Video description ends] The same would be true if DNS or DHCP is running on firmware embedded within an enterprise class router or a home Wi-Fi router.

 

The interface will be different, but the concepts remain the same. Harden the device. Apply patches, whether to firmware or in this case to the Windows OS. But that's all just generic hardening, but it is part of protecting DHCP and DNS hosts. [Video description begins] The host cancels out of Windows Defender Firewall with Advanced Security application. [Video description ends] Let’s start here by going into the Start menu on my Windows Server, under Windows Administrative Tools.

 

I'm going to select DHCP. DHCP has been installed on this Windows machine. And we know that DHCP provides a centralized configuration for clients on the network that will send out a network broadcast on the LAN to discover a DHCP host. [Video description begins] The DHCP window opens with three panes. The left has a DHCP server with IPv4 and IPv6 listed as options within it. The middle pane lists Contents of DHCP, with a single file displaying at the moment. The right pane lists Actions. [Video description ends]

 

So whether we are configuring this for IPv4 or IPv6 to hand out those configurations, there are a few things that we can consider for security. So the first thing I'll do is right click on IPv4 and configure a new scope. We would do this when we are setting up DHCP.

 

Initially, I'll just quickly go through it. [Video description begins] The New Scope Wizard opens. The host clicks on Next on the bottom right to continue. He adds the information needed in each instance that follows and continues to click Next on the bottom right after each step. [Video description ends] So assuming we're going with some kind of a naming standard for these types of configurations, I’ll call it LANSegment 12-B assuming that’s what this IP config is for. I'll put in the starting IP and the ending IP.

 

We can specify things like the Subnet mask. You would use exclusions if there's something within that range like a network printer that’s using an IP. So that you don’t want to hand that IP out again to DHCP clients. But I’ll just continue with Next.

 

The lease duration here, the default here is 8 days. I’m going to reduce that down. Let’s say to 1 day. If the nature of this LAN segment is that devices will connect maybe for a few hours, or maybe for a day, but then they’re off the network and off to some other location.

 

Then it would make sense to have a shorter lease duration like this so you don't exhaust your DHCP address pool. We can also configure DHCP options like the router or default gateway and we can also configure DNS server IPs. Now this is important.

 

If the DHCP host is compromised by an attacker, one of the things that they might do is specify in DHCP, a DNS server that clients will use for name resolution that redirects clients to fraudulent or spoofed websites like for online banking and so on.

 

Okay, but that just boils down to standard host hardening, making sure the machine itself won't be compromised. I'm just going to go through here. I'm not going to activate this DHCP scope right now as I have another one running on the network already. [Video description begins] The host clicks on Finish to close the New Scope Wizard. [Video description ends]

 

One of the things I'm going to do here is right click on IPv4 on the left and choose Define Vendor Classes... [Video description begins] The DHCPVendor Classes dialog box opens on the middle of the screen. It has a list of Available classes on the left and an option to Add on the right. [Video description ends] This can be important because what you can do is pick out DHCP requests from certain types of devices like IP phones, for example, by a certain manufacturer, and then assign DHCP settings specifically for that type of device.

 

Now what does that have to do with security? If we know we've got a subset of our IP address scoping assigned, let's say, to IP phones, then we have a definable way when we're threat hunting or looking through network security logs to determine that certain traffic was specifically related to IP phones. So that can be very handy. So I'm going to go ahead and click Add... to add a new DHCP vendor class. [Video description begins] A New Class dialog box opens. It asks for Display name, Description and details about ID, Binary and ASCII; with an OK buttton on the Bottom right. [Video description ends]

 

I’m going to call it MyTestIPPhone. And what you enter in here is the vendor class identifier. You don't make this up. You would have to look at the documentation from that IP phone vendor to know what this is. [Video description begins] The host points to the area that asks for ID, Binary and ASCII. [Video description ends] So assuming I filled this in correctly, I would then click OK. And then close out of there.

 

[Video description begins] The host closes the Vendor Classes dialog box to get back on the DHCP window. [Video description ends]

 

So now what I could do is configure a DHCP policy to control how IP addressing works in terms of conditions. [Video description begins] The cursor hovers over the Policy option under the Scope option within IPv4. [Video description ends] We can conditionally determine how IP addressing assignments work. So I’m going to right click and choose New Policy... I’ll call it Policy1 [Video description begins] The host right clicks on the Policies option and chooses New Policy to open the DHCP Policy Configuration Wizard. The first page requires a Policy name, which is added by the host before he clicks Next on the bottom right of the wizard. The Configure Conditions for the policy page opens next. [Video description ends]

 

I’ll click Next. I’ll click Add... for Conditions and for Vendor Class, [Video description begins] He subsequently continues to add the information requested in the wizard as he moves forward, clicking Next on the bottom right to continue in each instance. [Video description ends] I can now select MyTestIPPhone from the list and I can click Add to add it down there.

 

[Video description begins] He clicks on Add from the middle of the conditions page to open a new dialog. It has options like Criteria, Operator and Value, each with a list to choose from. Vendor Class is selected in the Criteria section. The host selects MyTestIPPhone on the dropdown list for Value [Video description ends]

 

 

So I'm adding condition here that says if we get DHCP requests that are from that type of iPhone based on our vendor class identifier, then as we continue on, I'm just going to have that one condition by clicking Next, we can specify that we want to use [Video description begins] The Vendor Class condition is added to the conditions as the host clicks next. [Video description ends] a subset of IPs within our configured scope just for these IP phones.

 

Let’s say 192 168 1 . 70 192 168 1 . 90 if we don’t have that many of them. Okay! [Video description begins] The next page mentions the current scope IP address range as 192.168.1.50 - 192.168.1.100 which host points to, before adding values for Start IP address and End IP address. The host fills out 192.168.1.70 for the former and 192.168.1.90 for the latter. He then clicks on Next. [Video description ends] Then we could specify details like a specific router through which IP phone traffic should go. Maybe regular network traffic goes through a different router or default gateway than IP phone traffic does, because maybe we’ve got a network configuration optimized for IP phone traffic.

 

So maybe I'll specify that. Okay. Let me just go through and configure my policies as such. [Video description begins] The host clicks on Finish to close the policy configuration wizard. The middle pane displays Policy1. [Video description ends] So that's one thing. We can also right click on our DHCP server on the left and Add/Remove Bindings... If you've got a multi-homed computer, you can determine which network interfaces, shown here by IP address as well, that you want DHCP to support or service clients on.

 

So if this is acting as a machine linking two networks together, in other words a router, the Windows software level, you can determine that if you wish. On the DNS side of things, so on that same server, I’ll go to Windows Administrative Tools down to DNS. The DNS is already configured here. [Video description begins] The DNS Manager opens. The hosts points to a DNS server listed on the left pane and clicks on it. [Video description ends]

 

What we can choose to do is right click on a DNS zone, choose DNSSEC and digitally Sign the Zone, which I’ve already done. Now what happens is besides having standard Start of Authority, Name Server, IPv4 A records, IPv6 AAAA records, you get a lot of Signature records and KEY records added, because what's happened is we have digitally signed the zone.

 

You can use the default key to do that, or you can specify one that you would like to use specifically; but by digitally signing the DNS zone, clients can verify the validity of the signature to make sure that it hasn't been tampered with. [Video description begins] The host points to the files that populate the right pane. [Video description ends]

 

Now, for clients to do that, we have to configure a little bit of group policy, assuming clients are pointing to this DNS server. [Video description begins] The host cancels out of the DNS Manager to get back on the desktop. [Video description ends] So from the Start menu under Windows Administrative Tools, I’m going to go into Group Policy Management. I have an active directory domain and I have stations joined to it so I can configure centralized settings that could potentially apply to all computers in the domain or a subset.

 

What I want to do is make sure I configure it such that computers will use DNSSEC for that DNS zone. [Video description begins] The Group Policy Management window is open. The same DNS server is visble on the left pane. The host clicks on it to open up a list of options below it. The first one is the Default Domain Policy. [Video description ends]

 

So I’m going to right click the Default Domain Policy, which applies to all computers in the domain and users. I’ll click Edit... [Video description begins] The Group Policy Management Editor opens. The left pane has an option called Computer configuration with Policies and Preferences under it. [Video description ends] What I’m looking to do here under Computer Configuration is go down under Policies and down under Window Settings where I have something called the Name Resolution Policy.

 

What we can do here for a DNS Suffix is specify, let’s say our DNS zone that’s signed quick24x7.local And what we want to do down below for that is enable DNSSEC in this rule. And I’ll turn on the check mark that says Require DNS clients to check that name and address data has been validated by the DNS server. And then I'll click Create, which adds that to the name resolution table down below and I’ll click Apply.

 

So in this way then clients will be able to verify that DNS records haven't [Video description begins] The host clicks on Apply on the bottom right of the window. [Video description ends] been tampered with. Of course, if an attacker completely compromises the server and even the key used for signing the zone, then we would still have a security problem.

 

Managing network settings is crucial for a cybersecurity analyst because the network can present a way for malicious actors to perform reconnaissance on the network or even compromise devices on the network.

 

Here, the focus is going to be on hardening or configuring a Wi-Fi router in a secure manner, whether it's a Wi-Fi device that's used in the enterprise or even on a home network. These days, that can still be very serious because many people work from home and we don't want the device that people are using to work from home from being compromised. The first step in protecting that is at the network level. [Video description begins] The home page of a Wi-Fi router emulator is open on screen. The web address is https://emulator.tp-link.com The top has options such as Network Map, Game Center, Internet, Wireless, and Advanced. Wireless is selected, and Wireless Settings such as Network Name, Security and Password are displayed below. [Video description ends]