Hands-On Steps

1. From your computer workstation, create a new text document called LAN-to-WAN Domain Lab #7.

2. Consider the following scenario:

You are a security consultant for an information systems security firm and have a new health care

provider client under HIPAA compliance. Your new client wants to know the requirements and

business drivers for securing the LAN-to-WAN domain in its health care environment, which requires

compliance with HIPAA. Similarly, your firm has a U.S. government DoD client who also wants you to

perform a LAN-to-WAN domain compliance audit per the DoD LAN and network hardening guidelines

and baseline requirements. Both organizations want you to focus on the LAN-to-WAN domain

only, and you are to use the DoD-provided frameworks and STIGs previously found to summarize a

network infrastructure hardening strategy. Just as you researched STIGs in Lab #6, do the same at the

following url: http://iase.disa.mil/stigs/net_perimeter/index.html#.

3. Review the U.S. Department of Defense (DoD) network hardening guidelines and other NIST standards

that you identified in Lab #3.

4. Launch your Web browser and type in the Web address http://www.sans.org. Use the Custom Search

box in the upper right corner to identify the risks, threats, and vulnerabilities commonly found in the

LAN-to-WAN domain. List these in your text document.

5. Using the information you learned in Lab #2 and the Internet, identify and review the documents

available for hardening network infrastructure and the LAN-to-WAN domain as per DoD standards.

List these in your text document.

6. On the IASE/DISA website, find the STIGs for the routers and switches, network policy, firewalls and

IDS/IPS, and other network devices. Use the following Web addresses to find these:

http://iase.disa.mil/stigs/net_perimeter/network_infra/routers_switches.html

http://iase.disa.mil/stigs/net_perimeter/network_infra/policy.html

http://iase.disa.mil/stigs/net_perimeter/network_infra/firewall.html

http://iase.disa.mil/stigs/net_perimeter/network_infra/other.html

7. Download the available ZIP files from the URLs listed in the previous step, including:

a. Network Infrastructure Router L3 Switch

b. Network Perimeter Router L3 Switch

c. Network L2 Switch

d. Network Policy

e. Network Firewall

f. Network IDS/IPS

g. Network Other Devices

8. Extract the Overview PDFs from each of the ZIP files listed in the previous step. This PDF is the

summary document that supports all of the XML files. Review the following concepts from this

overarching DoD standards document for network infrastructure:

• ENCLAVE PERIMETER

• Enclave Protection Mechanisms

• Network Infrastructure Diagram

• External Connections

• Leased Lines

• Approved Gateway/Internet Service Provider Connectivity

• Backdoor Connections

• IPv4 Address Privacy

Hands-On Steps 55

7

38412_Lab07_Pass1.indd 55 3/7/13 6:04 PM

• FIREWALL

• Packet Filters

• Bastion Host

• Stateful Inspection

• Firewalls with Application Awareness

• Deep Packet Inspection

• Application-Proxy Gateway

• Hybrid Firewall Technologies

• Dedicated Proxy

• Layered Firewall Architecture

• Content Filtering

• Perimeter Protection

• Tunnels

Briefly discuss these in your text document.

9. Extract the Switch Cisco Manual XML file from the Network L2 Switch ZIP file. Review some of the

following concepts and vulnerabilities for configuring and hardening Cisco switches:

• Non-registered or unauthorized IP addresses

• In-band Mgt not configured to timeout in 10 min

• Exclusive use of privileged and non-privileged

• Assign lowest privilege level to user accounts

• Log all in-band management access attempts

Briefly discuss these in your text document.

10. Extract the Perimeter Router Cisco XML file from the Network Perimeter Router L3 Switch ZIP file. Review

some of the following concepts and vulnerabilities for configuring and hardening Cisco routers:

• A log or syslog statement does not follow all deny statements

• DNS servers must be defined for client resolver

• Running and startup configurations are not synchronized

Briefly discuss these in your text document.

11. Extract the Firewall Cisco PIX ASA XML file from the Network Firewall ZIP file. Review at least three of the

concepts and vulnerabilities for configuring and hardening Cisco firewalls as performed previously for

switches and routers. Discuss these in your text document.

12. Extract the IDS-IPS Manual XML file from the Network IDS-IPS ZIP file. Review at least three of the

concepts and vulnerabilities for configuring and hardening IDS/IPS devices as performed previously

for switches and routers. Discuss these in your text document.

13. Extract the Network Policy Manual XML file from the Network Policy ZIP file. Review at least three of the

concepts and vulnerabilities for configuring and hardening network policy as performed previously for

switches and routers. Discuss these in your text document.

14. Write an executive summary summarizing the top LAN-to-WAN domain risks, threats, and vulnerabilities

and include a description of the risk mitigation tactics you would perform to audit the

LAN-to-WAN domain for compliance. Use the U.S. DoD LAN-to-WAN hardening guidelines as your

example for a baseline definition for compliance.

15. Submit the text document to your instructor as a deliverable for this lab.

56 Lab #7 | Auditing the LAN-to-WAN Domain for Compliance

38412_