version 09.02 - noodlez.org courses pdf... · 2018-03-10 · 3. sniff traffic using wireshark •...
TRANSCRIPT
Version 09.02.02
Table of Contents
Network Management Labs A1 NO LABS APPLICABLE B1 SNMPc C1 Solarwinds Engineer Toolset D1 Solarwinds Cirrus E1 Orion F1 HEAT G1 Net MRI H1 Cisco ACS I1 NO LABS APPLICABLE Information Assurance Labs A1 Information Assurance Overview B1 Access Control Lists C1 Cisco Security Monitoring, Analysis And Response
System D1 Cisco Adaptive Security Appliance E1 Cisco Intrusion Prevention System F1 Cisco Security Manager G1 eEye Retina Scanner H1 Hercules Vulnerability Remediation Management
Network Management Labs
SNMPc
Labs
NM-PE-B1 Management Console 1. Revert to Snapshot for VMware instance
a. Setup WAN Manager b. Note: Verify completed procedures with Instructor before continuing
2. Setup SNMPc Online for remote access 3. Setup SNMPc Network Map 4. Monitor local devices
a. Monitor OSPF Neighbor status (MIBs) b. Monitor all appropriate services
i. Domain Name Server (DNS) ii. Mail Server (Exchange) iii. Add (Secure Shell Logon) SSH Service (Port 22) iv. Domain Controller (DC) v. Web Server
5. Set up three trend reports for NT2R (local router) to be accessed via SNMPc Online
a. Bandwidth Utilization b. Online Availability c. Online Interface BPS
6. Use Manager of Managers to incorporate maps (Enterprise Edition Only) 7. Backup your map
a. Schedule backup for every hour 8. Personalize your event log view to customize tab views
a. Critical Tab b. Major Tab c. Minor Tab
9. Setup Java Console View 10. Add Users
a. 3 different users and set permissions
SolarWinds Engineer Toolset
Labs
NM-PE-C1 Solarwinds Engineer Toolset
Use Solarwinds Toolset to monitor the network 1. Populate configuration viewer with local devices using Network Sonar (Auto
Discovery) 2. Setup shared credentials 3. Verify that TFTP server is running 4. Setup Syslog server 5. Setup IP Address Management
a. Copy & paste results to Excel Spreadsheet
Solarwinds Cirrus Lab
NM-PE-D1 SolarWinds Cirrus 1. Populate Cirrus with all devices (manually) 2. Set a baseline configuration for all local devices 3. Crete a snippet and add TACACS+ & AAA commands for NT2R
a. Upload created snippet to local NT2R (have students upload a interface config)
b. Compare running config to baseline to verify changes 4. Schedule a task to download configs from local devices every 24 hours 5. This step is only for manager of HUB Node (UHN_66030)
a. Setup ACS Server for authentication b. Generate TACACS+ administration reports and save to desktop using
‘lastname_reportname’ as file name. i. Failed Attempts ii. TACACS+ Accounting iii. Logged-in Users
Enter the following NetFlow Version 5 commands on Cisco devices:
• ip flow-export version 5: Sets NetFlow to version 5 • ip flow-export source loopback 0: Sets the source port to Loopback
0 • ip flow-export destination <Orion Server IP address> 2055: Sends
the NetFlow messages to the Orion Server using port 2055 • Interface serial 0/0 Enter Interface sub-mode. • ip route-cache flow: Turns on NetFlow 5 messages for the
Interface.
NetFlow Verification Commands • Show ip flow export (Displays statistics for the data export
including the main and other enabled caches.) • Show ip cache flow (Displays summary of the NetFlow
statistics.)
Orion
Lab
NM-PE-E1 Orion (Hub Node/DMAIN) 1. Setup and configure Netflow Collector 2. Create a snippet to upload IP flow commands into NT2R
a. Upload snippet to router 3. Take preliminary steps to setup ORION 4. Draw Orion Map
a. Import Map into Orion Web Console b. Note: verify completion with instructor before moving forward
5. Setup Netflow Traffic Analyzer to receive data 6. Backup Orion database
HEAT
Lab
NM-PE-F1 HEAT 1. Step for DMAIN only:
a. Set up HEAT Administrator Module b. Create users Team Roles as indicated by instructor
i. Username: DMAIN password: cisco Role: Administrator ii. Username: BCT1 password: cisco Role: Technician iii. Username: BCT2 password: cisco Role: Technician iv. Username: BCT3 password: cisco Role: Technician
2. Download and install iHeat windows client 3. Open the iHeat client and connect to your assigned server
a. DMAIN and BCT1 use 22.230.4.25 b. BCT2 and BCT3 use 22.230.4.26
4. Open HEAT Administration and Call Logging to verify connectivity 5. NOTE: Use your AKO ID: john.doe and password: cisco 6. Create 2 customer profiles using call logging (for the purpose of using Heat
Self Server)
Net MRI
Lab
NM-PE-G1 Hub Node/DMAIN
1. Configure NET MRI and set server IP address. ( Browse using IP Address 169.254.1.1, UserID: Admin, PWD: cisco1234
2. Input network name 3. Input Server name 4. Set time server 5. Input SNMP strings 6. Input CIDR blocks 7. Create user accounts and set privilege levels
Brigade and Below:
1. Web into NETMRI and view data (IP Address 22.230.4.10) 2. Record last reboot time for your JNN router 3. Record last configuration change for your JNN router 4. Record device groups 5. Record interface groups 6. Record services running on your JNN router
Cisco ACS
Lab
NM-PE-H1 (Hub Node/DMAIN) 1. Make sure AAA Commands are entered into your router 1. Setup and configure Cisco ACS for customer login 2. Add Server 3. Add client Network Access Devices (NADS) 4. Create user groups 5. Create users and assign to appropriate groups 6. View Accounting logs 7. After the router and ACS server are configured, login to the router with the
user ID: gdadmin and password: gd1234$. 8. Are you able to log on? Why or why not? 9. Next login with the username and password you created in ACS. If
unsuccessful, check the aaa and tacacs router configurations. 10. Now try to login using telnet and the web interface. 11. Click on the System Configuration button on the left hand side of the screen. 12. Click the Service Control link. 13. At the bottom, click the Stop button to stop the ACS 14. Service (the service may take a few minutes to stop). 15. Login with the username and password created in ACS. 16. Create 2 Administrator user accounts. 17. Administrator 1: 18. Add to the Default Group. 19. Select Network Configuration. 20. Under Reports and Activity, select TACACS+ Accounting and User
change Password. 21. Administrator 2: 22. Grant All Administrator Privileges. 23. Disable Automatic local login. 24. From the host server, open Internet Explorer and log into the Cisco ACS
admin console: http://22.230.x.x:2002 NOTE: Port 2002 will automatically switch to a random port upon opening up the
webpage.
Information Assurance
Labs
Information Assurance Overview
LABS
IA-PE-A1 Monitor a TELNET Session 1. Open Wireshark 2. Select Capture - Interface 3. Hit the start button next to the appropriate Network Interface Card 4. Setup the Fast Ethernet port on router as 22.230.x.x/30 (refer to cut sheets) 5. Setup the Fast Ethernet port on one laptop with an IP Address 22.230.x.x
(refer to cut sheets) 6. Telnet into router (Use Putty or Hyper Terminal) 7. Sniff traffic and find telnet session 8. What does Wireshark pickup?
• Type telnet in the filter section and click apply (filters for telnet ONLY!)
IA-PE-A2 Setup and Monitor SSH Session 1. Setup SSH on the router 2. Setup Putty on one laptop 3. Sniff traffic using Wireshark
• Open Wireshark • Select Capture – Interfaces • Hit start button next to the appropriate Network Interface Card
4. What does Wireshark pickup • Type SSH in the filter section and click apply (filters SSH ONLY!)
IA-PE-A3 Switch Monitoring Port 1. In Global configuration mode enter in the following:
• monitor session 1 source interface Fa1/1 (Telnet/SSH ports 1) • monitor session 1 destination interface Fa1/2 (Sniffing port 2)
2. Plug laptop 1 into port 1 3. Plug laptop 2 into port 2 4. Laptop 1 telnet into router 5. Laptop 2 sniff the traffic using Wireshark
• Open Wireshark • Select Capture – Interfaces • Hit start button next to the appropriate Network Interface Card
6. What does Wireshark pickup? 7. Put interface into listening mode
• Start button – • Left click on network connections – • Right click on Local Area Connection and go to properties • Uncheck Internet Protocol & File and printer sharing for Microsoft
Networks. • Right Click ok
IA-PE-A4 Switch Port Security 1. In Global configuration mode and enter in the following:
• Mac-address-table static xxxx.xxxx.xxxx interface Fa1/1 vlan xx (PC 1) • Mac-address-table static xxxx.xxxx.xxxx interface Fa1/2 vlan xx (PC 2)
2. Ping the Default Gateway • Go to start button • Select run • Type cmd and hit enter • Type ping xxx.xxx.xxx.xxx (x’s denote the IP Address)
3. Swap laptop cables 4. Is it possible to ping? IA-PE-A5 MAC Spoofing 1. Right Click My Computer 2. Select Properties 3. Left click the Hardware tab 4. Select device manager 5. Under network adapters double click the appropriate NIC card. 6. Left click the Advanced tab 7. Select Locally Administered Address 8. Type in IP address in the value field and hit ok.
Access Control Lists
LABS
IA-PE-B1 VTY ACL 1. Configure a standard access list to allow telnet access from your workstation
and the instructor’s workstation while blocking everyone else. 2. Try to telnet to your router. 3 Have the instructor try to telnet to your router. 4 Have your neighbor try to telnet to your router. 5 Create and apply the ACL and retry.
IA-PE-B2 SNMP 1. Create a standard access list allowing your server SNMP management of
your router while blocking all others access. 2. View the network management station on the projector to see what happens. IA-PE-B3 Extended ACL 1. Configure an extended access list to block web access from your workstation
to the instructor’s workstation while permitting everyone else. 2. Try to web to the instructors laptop 3. Try to ping the instructors laptop 4. Create and apply the ACL and retry
Cisco Security Monitoring, Analysis and
Response System (MARS)
LABS
IA-PE-C1 Sending Traffic To CS-MARS 1. Connect to the Tier 1 Router in the network
a. SSH • Ensure you have access to the required IP address
1. Select HostPC-Start > Run 2. Type cmd and select OK 3. From the command window type:
a. ping <device IP> b. example: ping 22.230.0.6
4. If you do not have a connection to the required IP address begin troubleshooting network configuration and connectivity issues on the computer and/or the router you are trying to access
• Open Putty • In the Host Name (or IP Address) field enter the router IP
address • Ensure Port 22 is entered and SSH is selected for the
connection type • Select the Open button at the bottom of the window
b. Console Connection (HyperTerminal) • Connect a serial cable between the computer and the router • Open HyperTerminal by selecting the HyperTerminal shortcut
on the Desktop of the computer • Enter a name for the connection (NOTE: This name can be
anything and is not important, but must be at least one alpha-numeric character) then select OK
• In the “Connect To” Window use the Connect Using drop-down box to select the appropriate COM port then select OK
• In the COM# Properties window select the Restore Defaults button then press OK
• Now in the HyperTerminal window press the Enter key to make a connection to the device
2. From the connection window enter the following commands: a. Router#config t b. Router(config)#snmp-server enable traps c. Router(config)#snmp-server host <CS-MARS IP> <RO
Community> d. Router(config)#logging source-interface <interface to CS-MARS> e. Router(config)#logging trap warnings f. Router(config)#logging <CS-MARS IP> g. Router(config)#service timestamps log datetime localtime h. Router(config)#exit i. Router#copy run startup-config
3. Complete these steps for every router in the JNN/BCT 4. Connect to the Host LAN Firewall using one of the methods outlined above 5. Enter the following commands:
a. CiscoASA#config t
b. CiscoASA(config)#snmp-server host <interface> <CS-MARS IP> community <RO Community>
c. CiscoASA(config)#snmp-server community <RO Community> d. CiscoASA(config)#logging enable e. CiscoASA(config)#logging host <interface name> <CS-MARS IP> f. CiscoASA(config)#logging trap warning g. CiscoASA(config)#logging timestamp h. CiscoASA(config)#exit i. CiscoASA#write mem
6. Complete the Firewall steps for each firewall context on the Host LAN Firewall IA-PE-C2 Add Devices to the CS-MARS database 1. Add Routers to the database
a. Select Admin > System Setup > Security and Monitor Devices > Add b. Select Cisco IOS 12.2 from the Device Type list c. Enter the name of the device in the Device Name field. MARS maps
this name to the reporting IP address. This name is used in topology maps, queries, and in the Security and Monitoring Device list. For devices that support the discovery operation, such as routers and firewalls, MARS renames this field’s value to match the name discovered in the device configuration, which typically uses the hostname.domain format. For devices that cannot be discovered, such as Windows and Linux hosts and host applications, MARS uses the provided value.
d. (Optional) To enable MARS to discover settings from this device, enter the administrative IP address in the Access IP field. To learn more about the access IP address, its role, and dependencies.
e. Enter the IP address of the interface that publishes syslog messages, SNMP notifications, NetFlow MIBs, or any combination of the three, in the Reporting IP field.
f. If you entered an address in the Access IP field, select SNMP, TELNET, SSH, or FTP from the Access Type list, and ensure the device is properly configured for the selected access method.
g. (Optional) To enable MARS to retrieve MIB objects for this reporting device, enter the device’s read-only community string in the SNMP RO Community field. Before you can specify the SNMP RO string, you must define an access IP address. MARS uses the SNMP RO string to read MIBs related to a reporting device’s CPU usage, network usage, and device anomaly data and to discover device and network settings.
h. (Optional) To enable MARS to monitor this device for anomalous resource usage, select YES from the Monitor Resource Usage list. Enabling this setting allows MARS to monitor the device for anomalous consumption of resources, such as memory and CPU. If anomalies are detected, MARS generates an incident. Resource utilization statistics are also used to generate reports.
i. (Optional) If you defined an access IP and selected and configured an access type, click Discover to determine the device settings, including the IOS IPS settings. If the username and password are correct and the MARS Appliance is configured as an administrative host for the device, the “Discovery is done.” dialog box appears when the discovery operation completes. Otherwise, an error message appears. After the initial pull, the MARS Appliance pulls based on the schedule that you define.
j. To add this device to the MARS database, click Submit. The submit operation records the changes in the database tables. However, it does not load the changes into working memory of the MARS Appliance. The activate operation loads submitted changes into working memory.
k. Click Activate. After selecting Activate, MARS begins to sessionize events generated by this device and evaluate those events using the defined inspection and drop rules. Any events published by the device to MARS before activation can be queried using the reporting IP address of the device as a match criterion
2. Complete the above steps for each router in your network segment. 3. Adding a Firewall Device:
a. To add a Cisco ASA, Select Admin > System Setup > Security and Monitor Devices > Add, and select the appropriate ASA software version. For class this is Cisco ASA 7.2.
b. Enter the name of the firewall device in the Device Name field. c. (Optional) To enable MARS to discover settings from this firewall
device, enter the administrative IP address in the Access IP field. Note: This address corresponds to the IP address from which the syslog messages of the admin context are sent.
d. Enter the IP address of the interface that publishes syslog messages or SNMP notifications, or both in the Reporting IP field.
e. If you entered an address in the Access IP field, select TELNET, SSH, or FTP from the Access Type list, ensure the device is configured to use the selected communication method. Note: If you select the FTP access type you cannot discover the non-admin context settings. Therefore, this access type is not recommended.
f. (Optional) To enable MARS to retrieve MIB objects for this reporting device, enter the device’s read-only community string in the SNMP RO Community field. Before you can specify the SNMP RO string, you must define an access IP address. MARS uses the SNMP RO string to read MIBs related to a reporting device’s CPU usage, network usage, and device anomaly data and to discover device and network settings.
g. (Optional) To enable MARS to monitor this device for anomalous resource usage, select Yes from the Monitor Resource Usage list. Result: MARS monitors the device for anomalous consumption of resources, such as memory and CPU. If anomalies are detected, MARS generates an incident. Resource utilization statistics are also used to generate reports.
h. Do one of the following:
• Click Discover to let MARS contact the device and conduct a topology and context configuration discovery. Information about the security contexts is presented in the Context section of the main page.
• Click Next to commit your changes and allow for manual definition of security contexts or modules.
i. (Optional) If you defined an access IP and selected and configured an access type, click Discover to determine the device settings, including any security contexts and their settings. Result: If the username and password are correct and the MARS Appliance is configured as an administrative host for the device, the “Discovery is done.” dialog box appears when the discovery operation completes. Otherwise, an error message appears. After the initial pull, the MARS Appliance pulls based on the schedule that you define.
j. To add this device to the MARS database, click Submit. This operation records the changes in the database tables. However, it does not load the changes into working memory of the MARS Appliance. The activate operation loads submitted changes into working memory.
k. Click Activate. Once Activate is selected MARS begins to sessionize events generated by this device and evaluate those events using the defined inspection and drop rules. Any events published by the device to MARS before activation can be queried using the reporting IP address of the device as a match criterion.
4. Manually adding a Firewall Context: a. From the firewall configuration data select Add Module. b. In the Device Type list select the appropriate device software type. In
the classroom and the WIN-T network that is Cisco ASA 7.2. c. Enter the name of the firewall device in the Device Name field. MARS
maps this name to the reporting IP address. This name is used in topology maps, queries, and in the Security and Monitoring Device list. For devices that support the discovery operation, such as routers and firewalls, MARS renames this field’s value to match the name discovered in the device configuration, which typically uses the hostname.domain format. For devices that cannot be discovered, such as Windows and Linux hosts and host applications, MARS uses the provided value.
d. Enter the name of the security context in the Context Name field. This name must exactly match the context name defined on the device.
e. Enter the IP address of the security context from which syslog messages or SNMP notifications, or both are published in the Reporting IP field.
f. (Optional) To enable MARS to retrieve MIB objects for this security context, enter the device’s read-only community string in the SNMP RO Community field. Before you can specify the SNMP RO string, you must define an access IP address. MARS uses the SNMP RO string to read MIBs related to a security context’s CPU usage, network usage, and device anomaly data and to discover device and network settings.
g. To discover the settings of the defined context click Discover. This discovery collects all of the route, NAT, and ACL-related information. In addition, the name of the device may change to the hostname.domain format if it was not already entered as such.
h. To save your changes, click Submit. 5. Adding a Discovered Firewall Contexts:
a. Click Add Available Module. b. Select a security context from the Select list. c. Click Add. d. Repeat for other contexts. e. To save your changes, click Submit. f. Click Activate for CS-MARS to begin sessionizing data from the
contexts. 6. Using one of the methods above (Manually Adding a Firewall Context or
Adding a Discovered Firewall Context) add the remaining Firewall Contexts to the CS-MARS database.
IA-PE-C3 Device Auto Discovery and Scheduling 1. Add SNMP values to a network
a. To open the Community Strings and Networks page, click Admin > Community Strings and Networks.
b. Click the Network IP radio button. c. Enter the Community String, Network IP address, and Mask. d. Click Add. e. Repeat Step 2 through Step 4 for all the community strings that you
want to add. f. Click Submit to commit these additions.
2. Add a network for scheduled discovery a. Click Admin > Topology/Monitored Device Update Scheduler. The
Topology/Monitored Device Update Scheduler page displays. b. Click Add. c. Enter a name for the network (or group of networks). d. Select or enter your networks:
• Click the Select radio button, and select a network from the list that correlates with the router (loopback), firewall context IPs and IPSs management IP addresses in your network.
• Click Add to move the network into the selected field. e. To remove an item in the selected field, click it to highlight it, and click
Remove. f. In the schedule table, select Daily and from the Time of Day drop down
select 1:00 AM. g. Click Submit.
IA-PE-C4 Queries and Reports 1. Enter the Source IP (loopback) address of the Tier 2 JNN Router
a. To open the query page, click Query / Reports > Queries b. In the Source IP address field enter the JNN Tier 2 router loopback IP
address c. In the Destination IP, Service, Events, Device, Reported User,
Keyword, Operation, Rule and Action fields select Any d. Click the Submit Inline button to run the query
2. View all incidents on the device and annotate any particular one for further inspection.
IA-PE-C5 Inspection and Drop Rules 1. Open the Drop Rules page: Select Rules > Drop Rules in the CS-MARS
navigation page. 2. Click Add. 3. Enter a name and description for the rule, and click Next. 4. Select your sources.
a. Check the boxes next to the items in the Sources Selected field to select them, and click the Toggle Equal button to change them between equal and not equal.
b. Click the Select All button to select all items in the Sources Selected field. (Note: if you have items highlighted in the Sources Selected field, clicking Select All will de-select them.)
c. Use the Equal and Not Equal buttons to bring highlighted items from the Sources Available field into the Sources Selected field.
d. Filter sources from this drop-down list. e. Enter search text, and click Enter to move items that match the search
criteria from the Sources Available field to the Sources Selected field. f. To add a new item to the sources, click the Add button. To edit or
delete an existing source, click the Edit or Delete button. g. Click an item or items in the Sources Selected field, and use the
Remove button. h. To move IP values up into the Sources Selected field, click the Equal
(Up) icon, or the Not Equal (Up) icon. i. Check the radio button next to IP or Range, and enter an IP address or
a range of IP addresses into their respective fields. j. Select items in the Sources Selected field by clicking them. Enter a
group name, and click the Grouped As button to group them. 5. Follow the wizard, and select the values for the rule, clicking the Next button
to progress to the next step. 6. When you are asked, “Are you done defining the rule conditions”, click the
Submit button. 7. When the rule is complete, you need to activate it by clicking the Activate
button.
Cisco Adaptive Security Appliance (ASA)
LABS
IA-PE-D1 Creating a Context Setting up interfaces from within the System Execution space/context: 1. Using a standard DB-9 to RJ-45 Blue serial cable, connect a PC to the
“console” connector on the rear of the Cisco ASA. a. From Windows go to Start > Programs > Accessories >
Communications > Hyper Terminal. b. Once a Hyper Terminal program opens you will be prompted to enter a
name. Enter your Station name, i.e, JNN 1234 then press enter. c. Select the COM Port you’d like to use from the drop-down selection
box at the bottom of the properties windows. d. Select “Restore Defaults” on the next window and press enter. You
now have a console connection to the device. 2. If you’re not already in the system context then type “Changeto Context
system”. Create a sub-interface “0/1.224 “and “0/1.324 and assign them to Vlan 224 and 324 using the following steps:
a. BCT-XXXX-SFWDh# config t b. BCT-XXXX-SFWDh(config)# int e0/0.324 c. BCT-XXXX-SFWDh(config-subif)# vlan 324 d. BCT-XXXX-SFWDh(config-subif)# exit e. BCT-XXXX-SFWDh(config)# int e0/1.224 f. BCT-XXXX-SFWDh(config-subif)# vlan 224 g. BCT-XXXX-SFWDh(config-subif)# exit h. BCT-XXXX-SFWDh(config)#
3. Setting Resource Limits a. BCT-XXXX-SFWDh(config)# class DataResourceLimits b. BCT-XXXX-SFWDh(config-class)# limit-resource Mac-addresses
6000 c. BCT-XXXX-SFWDh(config-class)# limit-resource Conns 80000 d. BCT-XXXX-SFWDh(config-class)# limit-resource rate Conns 6000 e. BCT-XXXX-SFWDh(config-class)# limit-resource rate Inspects 6000 f. BCT-XXXX-SFWDh(config-class)# exit g. BCT-XXXX-SFWDh(config)#
4. In this section of the Lab you will define a security context to the system. It will be named DATA and is intended to provide firewalling services to the end user subnet.
a. BCT-XXXX-SFWDh(config)# context DATA Creating context 'DATA'... Done. (7)
b. BCT-XXXX-SFWDh(config-ctx)# description "This context is utilized for the protection of the DATA Vlan”
c. BCT-XXXX-SFWDh(config-ctx)# member DataResourceLimits d. BCT-XXXX-SFWDh(config-ctx)# allocate-interface Ethernet0/0.324 e. BCT-XXXX-SFWDh(config-ctx)# allocate-interface Ethernet0/1.224 f. BCT-XXXX-SFWDh(config-ctx)# config-url disk0:/DATA.cfg
INFO: Context DATA was created with URL disk0:/DATA.cfg g. BCT-XXXX-SFWDh(config-ctx)# exit h. BCT-XXXX-SFWDh(config)#
5. Verify that the DATA context has been created a. BCT-XXXX-SFWDh(config)# sh context
Context Name Class Interfaces URL DATA DataResour Ethernet0/0.324, disk0:/DATA.cfg Ethernet0/1.224 *ADMIN default Management0/0 disk0:/ADMIN.cfg IA IAResource Ethernet0/0.333, disk0:/IA.cfg Ethernet0/1.233 NETOPS NetopsReso Ethernet0/0.322, disk0:/NETOPS.cfg Ethernet0/1.222 VOICE VoiceResou Ethernet0/0.358, disk0:/VOICE.cfg Ethernet0/1.58
IA-PE-D2 Basic Context Setup
1. Change to the DATA context: a. BCT-XXXX-SFWDh(config)# changeto context DATA b. BCT-XXXX-SFWDh/DATA(config)#
2. Set the username and enable password: a. BCT-XXXX-SFWDh# config t b. BCT-XXXX-SFWDh(config)# username manager password cisco
priv 15 c. BCT-XXXX-SFWDh(config)# enable password cisco d. BCT-XXXX-SFWDh(config)#
3. Set the hostname: a. BCT-XXXX-SFWDh/DATA(config)# b. BCT-XXXX-SFWDh/DATA(config)# hostname BCT-XXXX-SFWDh-
DATA c. BCT-XXXX-SFWDh/DATA(config)#
4. Set the domain name. The domain name is necessary for SSH communications:
a. BCT-XXXX-SFWDh/DATA(config)# domain-name BCT-XXXX-SFWDh-DATA.us.army.smil.mil
b. BCT-XXXX-SFWDh/DATA(config)# 5. Configure SSH on the security appliance:
a. BCT-XXXX-SFWDh/DATA(config)# crypto key generate rsa INFO: The name for the keys will be: <Default-RSA-Key> Keypair generation process begin. Please wait...
b. BCT-XXXX-SFWDh/DATA(config)# 6. Verify the key has been created:
a. BCT-XXXX-SFWDh/DATA(config)# sh crypto key mypubkey rsa 7. Assign a management IP address to the security context:
a. BCT-XXXX-SFWDh/DATA(config)# ip address [ip address and mask]
8. Set up the interfaces: a. BCT-XXXX-SFWDh/DATA(config)# interface Ethernet0/0.324 b. BCT-XXXX-SFWDh/DATA(config-if)# description This is the
untrusted interface for the DATA management context c. BCT-XXXX-SFWDh/DATA(config-if)# nameif DATA_OUTSIDE
INFO: Security level for "DATA_OUTSIDE" set to 0 by default.
d. BCT-XXXX-SFWDh/DATA(config-if)# security-level 0 e. BCT-XXXX-SFWDh/DATA(config-if)# exit f. BCT-XXXX-SFWDh/DATA(config)# interface Ethernet0/1.224 g. BCT-XXXX-SFWDh/DATA(config-if)# description This is the
trusted interface for DATA management context h. BCT-XXXX-SFWDh/DATA(config-if)# nameif DATA_INSIDE
INFO: Security level for "DATA_INSIDE" set to 0 by default. i. BCT-XXXX-SFWDh/DATA(config-if)# security-level 100 j. BCT-XXXX-SFWDh/DATA(config-if)# exit k. BCT-XXXX-SFWDh/DATA(config)#
You should now be able to ping the DATA context from the inside interface.
IA-PE-D3 Enabling Management Services
1. Send syslog messages to a syslog server: a. BCT-XXXX-SFWDh/DATA(config)# logging enable b. BCT-XXXX-SFWDh/DATA(config)# logging timestamp c. BCT-XXXX-SFWDh/DATA(config)# logging buffer-size 512000 d. BCT-XXXX-SFWDh/DATA(config)# logging asdm-buffer-size 500 e. BCT-XXXX-SFWDh/DATA(config)# logging console warnings f. BCT-XXXX-SFWDh/DATA(config)# logging monitor warnings g. BCT-XXXX-SFWDh/DATA(config)# logging buffered informational h. BCT-XXXX-SFWDh/DATA(config)# logging trap warnings i. BCT-XXXX-SFWDh/DATA(config)# logging asdm warnings j. BCT-XXXX-SFWDh/DATA(config)# logging host DATA_OUTSIDE [ip
address of your syslog (CS-MARS) server] k. BCT-XXXX-SFWDh/DATA(config)#
2. Only allow IPs from your IA VLAN to ping your device: a. BCT-XXXX-SFWDh/DATA(config)# icmp permit 22.230.0.0
255.255.0.0 DATA_OUTSIDE b. BCT-XXXX-SFWDh/DATA(config)# icmp permit 22.230.0.0
255.255.0.0 DATA_INSIDE 3. Configure an ACS server:
a. BCT-XXXX-SFWDh/DATA(config)# aaa-server ACS protocol tacacs+ b. BCT-XXXX-SFWDh/DATA(config-aaa-server-group)# aaa-server ACS
(DATA_OUTSIDE) host [IP address of the ACS server] c. Enter the server Key:
• BCT-XXXX-SFWDh/DATA(config-aaa-server-host)# key bluebird
• BCT-XXXX-SFWDh/DATA(config-aaa-server-host)# aaa authentication enable console ACS LOCAL
d. BCT-XXXX-SFWDh/DATA(config)# aaa authentication http console ACS LOCAL
e. BCT-XXXX-SFWDh/DATA(config)# aaa authentication ssh console ACS LOCAL
4. Enable web management: a. BCT-XXXX-SFWDh/DATA(config)# http server enable
b. BCT-XXXX-SFWDh/DATA(config)# http [IP address of the IA management PC] DATA_OUTSIDE
c. BCT-XXXX-SFWDh/DATA(config)# http [IP address of the IA management PC] DATA_INSIDE
5. Enable SNMP management: a. BCT-XXXX-SFWDh/DATA(config)# snmp-server host
DATA_OUTSIDE [IP address of the SNMP server] community FTHOOD
b. BCT-XXXX-SFWDh/DATA(config)# snmp-server community FTHOOD c. BCT-XXXX-SFWDh/DATA(config)# snmp-server enable traps snmp
authentication link$ d. BCT-XXXX-SFWDh/DATA(config)# snmp-server enable traps syslog e. BCT-XXXX-SFWDh/DATA(config)# snmp-server enable traps ipsec
start stop f. BCT-XXXX-SFWDh/DATA(config)# snmp-server enable traps remote-
access session-threshold-exceeded g. BCT-XXXX-SFWDh/DATA(config)# ssh [IP address of the IA PC]
DATA_OUTSIDE h. BCT-XXXX-SFWDh/DATA(config)# ssh [IP address of the IA PC]
DATA_INSIDE i. BCT-XXXX-SFWDh/DATA(config)# ssh timeout 3 j. BCT-XXXX-SFWDh/DATA(config)# ssh version 2
IA-PE-D4 Port Objects and Object Groups
1. Web into the device via the ASDM a. Open Internet Explorer and input the IP address of your ADMIN
context. Example. https://22.230.36.28. b. Click on “Run ASDM Applet”. Follow the prompts and accept the Java
certificates. c. If configured enter a username and password for the security context.
2. Once the ASDM window has opened: a. From the drop-down menu select the DATA context. b. Click on the Configuration button at the top of the window then click on
the Global Objects button located to the far left of the window and then Network Objects then click Add. Configuration > Global Objects > Network Objects.
3. Create an Object Group and a network object for the Cisco Security Manager named CSM (note: Be sure you are in the DATA context at this point)
a. From the Network Objects Screen click Add b. When the new window opens name the Group CSM c. Enter the IP address of the CSM in the box at the bottom d. Enter the subnet mask. Be sure to enter an explicit mask for a single
host e. Click Add the click OK
4. Create a Service Object Group for TCP traffic originating from the CSM. Name this group FROM CSM_tcp
a. Click on Configuration > Global Objects > Service Groups
b. Click Add > TCP Service Group c. Name the Group FROM_CSM_tcp (note)spaces are not allowed d. Click on the services you want to add. Be sure to click the Add button
after you’ve selected each service. • Add the following services:
1. https, ssh, tacacs, telnet • Add the following ports:
1. 1683, 1684, 3306, 5501, 60002, 60003, 5001, 8088, 42340, 42351 - 42353, and 44351 – 44353
5. Create a Service Object Group for UDP traffic originating from the CSM. Name this group FROM_CSM_udp
a. Click on Configuration > Global Objects > Service Groups b. Click Add > UDP Service Group c. Name the Group FROM_CSM_udp d. Add the following services:
• Snmp, tftp, snmptrap e. Add the following ports:
• 42342, 42350,44350
6. Continue on your own and create the Groups listed below: a. Create a service object group named TO_CSM_udp and add the
following services and ports: • Tftp, syslog, 42342, 42350, 44350
b. Create a service object group named TO_CSM_tcp and add: • https, rsh, 1683 ,1684, 1741, 3306, 5501, 60002, 60003, 5001,
8088, 9007, 9009, 10033, 40401, 42340, 43441, 40050 – 40070, 42351 – 42353, 44351 – 44353, 50000 – 50020
c. From the Service Groups screen click on Add > Protocol Group. Add a protocol group named ALLOWED_protocols and add the following protocols:
• Tcp, udp, icmp, igmp, pim, ospf, eigrp d. Create a protocol Service Group named multicast and add:
• Pim and igmp e. Create a network Object Group named DATA_VLAN_BCT_XXXX. Use
your BCT identifier. DO NOT USE “XXXX”! add the following network-objects.
f. Add your DATA Vlan(s) network as a network-object
IA-PE-D5 Access Control Lists and Class Inspection 1. Create access-list using the Object Groups you’ve just created.
a. From the ASDM go to the DATA context. Go to Configuration > Security Policy. Click on the Access Rule tab and the top of the screen then click the Add button. Use the following options:
b. Inside the Interface and Action section: • Interfaces = DATA_Outside • Action = Permit
• Direction = incoming c. Source Section:
• Source Type = Network Object Group • Group Name = CSM (this is the object group you created in
the previous Lab. d. Destination Section:
• Type = enter the IP address of your DATA context • Netmask = 255.255.255.255
e. Protocol and Service Section: • Source port service = any • Destination port Group = FROM_CSM
f. Options section: • Logging = Default • Time Range = any
g. Click OK when complete. h. The new rule should now show up in the Access Rule section.
2. Continue on and create rules allowing traffic to flow in both directions.
Cisco Intrusion Prevention System (IPS)
LABS
IA-PE-E1 Directing Traffic to the IPS 1. Enter the Global configuration mode in the Cisco ASA by typing > config t
Type the following ASA commands at the ASA global configuration prompt: 1. Type the following command to create an access list called traffic_for_ips
<access-list traffic_for_ips extended permit ip any any> 2. Type in the following to direct the Firewall traffic to the IPS module:
ASA(config)# class-map <name of the Sensor_class> ASA(config-cmap)# match any ASA(config)# policy-map <name of the Sensor_policy> ASA(config-pmap)#class <name of the Sensor_class> ASA(config-pmap-c)#ips inline fail-open ASA(config-pmap)#service-policy <name of the Sensor_policy> global
IA-PE-E2 Initialize the Sensor 1. Open up HyperTerminal
• Enter a name for your connection, then click OK • Select a COMM port located in the bottom menu box, then click OK
Terminal program settings are as follows: • Baud Rate: 9600 • Parity: No • Data Bits: 8 • Stop Bit: 1 • Flow Control: none • Log into the sensor via Command Line by typing the command:
Type the following command at the ASA prompt: <session 1>
2. Perform the steps to initialize the sensor. • Enter host name: This is the name of the sensor. • Assign an IP address and subnet mask to the command and
control interface • Disable telnet for remote access to the sensor4. • Web server port remains at default • Modify the access list. • Configure the date and time if needed. • Modify the monitored interface: In the AIP-SSM, the only interface
used for monitoring is the internal Gigabit Ethernet interface. • Configure the threat prevention parameters if needed.
3. Create a user by typing in the command <username xxxxx password xxxxx privilege 15>
4. PING the ASA’s ip address to test connectivity. Locate the start button on you host desktop. Click START, then RUN and another window will open. Type in “cmd” to open a command prompt
window. Type < PING x.x.x.x> where x.x.x.x is the IP address of your sensor.
5. Backup the sensor configuration by typing in the command: <copy current-config backup-config>.
6. Log out of the sensor by typing EXIT, then log back in using the user you created. IA-PE-E3 Configuring Signatures Part 1 1. Configure the sensor signatures 2000 and 2004 (ICMP:Echo and Echo-reply)
to produce an alert and produce verbose alert. Type in the following commands at the sensor prompts:
• sensor(config)# service signature-definition sig0 • sensor(config-sig)# signature <xxxx> 0 • sensor(config-sig-sig)# alert-severity high • sensor(config-sig-sig)# engine atomic-ip • sensor(config-sig-sig-ato)# event-action produce-alert| produce-
verbose alert • sensor(config-sig-sig-ato)# exit • sensor(config-sig-sig)# alert-frequency • sensor(config-sig-sig-ale)# summary-mode fire-all • sensor(config-sig-sig-ale-fir)# summary-key AxBx • sensor(config-sig-sig-ale-fir)# exit • sensor(config-sig-sig-ale)# exit • sensor(config-sig-sig)# status • sensor(config-sig-sig-sta)# enabled true
2. PING your router to trigger the event. Locate the start button on you host desktop. Click START, then RUN and another window will open. Type in “cmd” to open a command prompt window. Type < PING x.x.x.x> where x.x.x.x is the IP address of your sensor.
3. Open 3cDaemon icon on your desktop. Start 3cDaemon FTP server by clicking on the Start button.
Backup the sensor configuration by typing in the command copy current - config <ftp://ip_address>
IA-PE-E4 Configuring Signatures Part 2 1. Clear all sensor events by typing in the command at the sensor prompt: <clear events> 2. Configure the sensor signature 2151 (Large ICMP Traffic) to produce an
alert and produce verbose alert the same way as in Lab 3. 3. PING your router to trigger the event.
Locate the start button on you host desktop. Click START, then RUN and another window will open. Type in “cmd” to open a command prompt window. Type < PING x.x.x.x> where x.x.x.x is the IP address of your
sensor. c:\.ping -t –l 1400 <sensor_ip> This command will start a continuous 1400 byte PING to the router until stopped.
NOTE: Use control c to stop the PING IA-PE-E5 IPS Device Manager 1. Log into the sensor via Command Line. 2. Erase the current configuration by typing in the command
<erase current-configuration> 3. Perform the steps to initialize the sensor as in step 2 of Lab 2. 4. From the sensor CLI, clear all events as in step 1 of Lab 4. 5. PING the IPS from the host PC to test connectivity.
Locate the start button on you host desktop. Click START, then RUN and another window will open. Type in “cmd” to open a command prompt window. Type < PING x.x.x.x> where x.x.x.x is the IP address of your IPS.
6. Log into the IDM via WEB or through the ASDM. Through a WEB browser: Open a web browser on the host PC and enter the sensor IP address as follows: https://<sensor_ip_address>
7. Disable all event signatures except signatures 1000.2000,2004,2151. On the Configuration Page, select sig0 When the signature page opens, right click on each signature and select Disable.
8. From your host PC command line, PING your sensor to trigger the event. 9. Display the event in the IDM
• From the Monitoring Tab, select Events > View to display the events.
IA-PE-E6 Testing a Reference Signature 1. From the sensor CLI, clear all events.
Clear all sensor events by typing in the command at the sensor prompt: <clear events>
2. Configure attack signature 3152 (FTP CWD ~Root). • In the IDM, select Configuration • Next, select Policies >Signature definitions > sig0 • Change the Select By field to Other Services and its subfield to
FTP • Find the signature named FTP CWD ~root. Double click on FTP
CWD _root and the Edit Signature window opens. • Change the Summary Mode to fire all to make sure that the
signature is triggered on each attempt. • Click OK then Apply. • Right click on signature 3152 and select Enable
3. Establish an FTP connection to your IA laptop from your Network Management laptop with the command: ftp –A <ip_address>
• From your Network Management PC, launch the command prompt window.
• On your desktop, click the 3cDaemon icon. • Establish an anonymous FTP connection to the IA Management
laptop with the command ftp –A <ip_address> (note: the –A is case sensitive)
• Enter the command cd ~ root • Close the FTP connection with the bye command
4. Display the events in the IDM. • From the Monitoring Tab, select Events > View to display the
events. IA-PE-E7 TCP Reset/Denying a Packet Inline 1. From the sensor CLI, clear all events.
Clear all sensor events by typing in the command at the sensor prompt: <clear events>
2. Configure signature 3152 to Deny Packet Inline and Produce Alert. • From the IDM signature configuration table, highlight the signature FT
CWD ~root. • Click Actions. • Verify that Produce Alert is checked. Also check Deny Packet Inline. • Click OK on the Assign Actions window. • Click Apply in the main IDM window. • Repeat the attack and establish the same FTP connection to your IA
Management laptop with the command ftp –A <ip_address> as you did in lab 6.
• Try to establish an FTP connection to your IA Management laptop with the command: ftp –A <ip_address>.
• From your Network Management PC, launch the command prompt window.
• On your desktop, click the 3cDaemon icon. • Establish an anonymous FTP connection to the IA Management laptop
with the command ftp –A <ip_address> (note: the –A is case sensitive)
• Enter the command cd ~ root 3. Display the event in the IDM.
• From the Monitoring Tab, select Events > View to display the events.
NOTE: The ftp is session is now hung up. The sensor is now blocking the packet and connection!
IA-PE-E8 Adding IPS to SNMPc 1. From the IDM, configure the sensor to be monitored using SNMPc.
• Click Configuration > SNMP > SNMP General Configuration. The SNMP general Configuration window will open.
• Check the Enable SNMP Gets/ SETS box to enable SNMP so that the SNMP Management Station can issue request to the sensor’s SNMP agent.
• Enter the Read Only and Read Write Community strings. 2. Enable all traps.
• Click Configuration > SNMP > SNMP Trap Configuration. The SNMP Trap Configuration window will open.
• Check the Enable SNMP Traps box and select the error events to notify through SNMP traps.
• Specify the location to send the SNMP traps. 3. Add the sensor to SNMPc.
• Click on the VMware icon on the Network Management laptop. • Locate the • Start > My computer > VMware D drive >Current VM> Network
Management. • Click on the WANMgmt folder • Click on the .vmx file to start the program. • Once SNMPc starts, login • Click the add device button to open the Object properties window • General tab • Label – this is the name of your sensor • Address - the IP address of your sensor • Access tab • Set the read access mode to SNMP V2c • Set the read/write access mode to SNMP V2c • Enter the read community string • Enter the read/write community string • Leave the Trap community string • Attributes tab
• Change the polling interval to 15 seconds 4. Verify that the sensor status is being monitored by SNMPc. IA-PE-E9 Adding IPS to CS-MARS 1. Click Admin > System Setup > Security and Monitor Devices. 2. From the list of devices, select the Cisco switch or Cisco ASA to which you
want to add the IPS module and click Edit. 3. Click Add Module. 4. Select Cisco IPS 5.x in the Device Type list. 5. Enter the hostname of the sensor in the Device Name field. 6. Enter the administrative IP address in the Reporting IP field. 7. The Reporting IP address is the same address as the administrative IP
address. 8. In the Login field, enter the username associated with the administrative
account that will be used to access the reporting device. 9. In the Password field, enter the password associated with the username
specified in the Login field. 10. In the Port field, enter the TCP port on which the webserver running on the
sensor listens. The default HTTPS port is 443. Note: While it is possible to configure HTTP only, MARS requires HTTPS.
11. For attack path calculation and mitigation, specify the networks being monitored by the sensor. Do one of the following:
• To manually define the networks, select the Define a Network radio button. a. Enter the network address in the Network IP field. b. Enter the corresponding network mask value in the Mask field. c. Click Add to move the specified network into the Monitored
Networks field. d. Repeat as needed.
• To select the networks that are attached to the device, click the Select a Network radio button. a. Select a network from in the Select a Network list. b. Click Add to move the selected network into the Monitored Networks field c. Repeat as needed.
12. Click Test Connectivity to verify the configuration (See NOTE below). 13. To save your changes, click Submit. 14. To enable MARS to start sessionizing events from this module, click Activate.
Cisco Security Manager
LABS
IA-PE-F1 Creating and Adding Devices
1. Log on to the CSM server • In your web browser, open http://csm _ip_address. • Once this is opened, a login prompt will be displayed. • Enter the login credentials created during installation. • Make sure to check the HTTPS box. • Login to the Cisco Security Manager with a username of admin and a
password of cisco123. • Click Login.
2. Create a group type called BCT# (where # is your station number). 3. Create two device groups called IPS and Firewall.
• From the Tools menu options. Select Tools > Security Manager Administration > Device Groups >Add Type. Then click the close button.
4. Add a device called BCT#_sensor to the IPS device group.
• Right click on a device group and select new device > Add new device. • Enter the device information, such as IP type, IP address, hostname.
5. Add a device called BCT#_ASA to the Firewall device group. Same as in step 3.
6. Add your IPS sensor and ASA from the network. • Click the Device View button on the toolbar.
Select File > New Device or click the New Device button in the Device selector.
• Enter the device information, such as IP type, IP address, hostname, and so on, and set discovery options.
• Enter the device primary credentials, such as username and password. Default HTTP credentials are: Username The HTTP username. Password The HTTP password. HTTP Port Port 80. HTTPS Port Port 443.
• Add the device to a group. 7. Review the device properties and test the sensor for connectivity.
• To review the device properties, right click the device and select device properties.
IA-PE-F2 Configuring Policies 1. Create an IPS signature parent policy called “BCT#_sensor_policy”.
• From the (Policy view) Select Intrusion Prevention System > Signatures > Signatures from the Policy Type selector. Right-click Signatures to create a policy.
• The create a policy widow appears – Create a policy name. 2. Create a sub-policy called “BCT#_sensor_subpolicy”.
• Right click on the parent policy and select new policy to create a sub-policy
3. Disable all signatures in the sub-policy except signatures 1000, 1004, 2000,
2004, and 2151. • Select a signature sub-policy. In the policy window, right click on a
particular signature and select disable. 4. Assign the policy to your sensor.
• Under the Assignment TAB, select the device group that contains the device to which the configured policy will be deployed to.
• Click > Save 5. Preview the configuration changes prior to deployment.
• Select Tools > Deployment Manager. Then select the device(s) to be deployed to.
• Click edit deploy method to preview the configuration changes. • Click the preview config. button on the Edit Deploy Method widow.
6. Deploy the policy changes to your sensor.
• Return to the Edit Deploy Method widow and click OK to proceed with the deployment.
7. Return to the CLI or IDM and verify the changes to the sensor configuration.
• Open the CLI window and type <show configuration> to review the changes.
eEye Retina Scanner
LABS
IA-PE-G1 Retina Setup 1. Create a Database named Retina. 2. Create an ODBC DSN. 3. Associate Retina with the DSN.
IA-PE-G2 Create an Address,Port,and Audit Group 1. Create an address group named Lab 2. 2. Create an audit group and select all audits. 3. Create a port group called Lab 2 ports. Select ports 1-1024. 4. Create credentials for your local admin account.
• Username - Administrator • Password – cisco
IA-PE-G3 Run a Discovery Scans 1. Run a Discover scan on your IP range. 2. Sort your discovered results by MAC address. 3. Schedule a scan on a weekly basis. 4. Add your client computer to the address group you created. IA-PE-G4 Run an Audit 1. Run an Audit.
• Targets - Created Address Group Lab 2. Type - DSN
• Ports – Use Lab 2 port group. • Audits- All audits. • Options - Default • Credentials – Stored
IA-PE-G5 Generate a Remediation Report 1. Generate a Remediation report.
• Grouped by machine • Sorted by IP and risk • Include creation details • Review the report in Microsoft Word.
2. Edit the report by changing an entry in the creation details section.
IA-PE-G6 Create an Executive and a Summary Report 1. Create an Executive report.
• Include all sections. • Include creation details. • Review the report in your web browser.
2. Create a Summary report. Save it to your desktop. • Type - text
Hercules Vulnerability Remediation Management
LABS
IA-PE-H1 Hercules Setup 1. Test connectivity to the Hercules and Reporting Server URL. 2. Test connectivity to the Channel and Download Server URL. 3. Open the Users and Security window and purge any additional accounts. IA-PE-H2 Device Group Preferences 1. Create a new device group named Lab. 2. Set polling intervals to 10 and 5. 3. Set client installation location to the default location. 4. Change reboot wait to 60 seconds. IA-PE-H3 Create user Accounts 1. Configure credentials for your client laptop. 2. Create 2 new users. User 1:
• Assign the System Administrator role • Assign all groups
User 2: • Assign the Hercules Reporter role • Assign your custom Group
1. Close Hercules Administrator. 2. Log in using different users and view differences in user rights.
IA-PE-H4 Run and Import a Scan 1. Complete a scan using Retina. 2. Import the scan into Hercules. 3. Import into device group Lab. IA-PE-H5 Install Client Software 1. Install Hercules client software on your target laptop. 2. Ensure that the device displays within the Hercules administrator. IA-PE-H6 Review Vulnerabilities 1. Review detected vulnerabilities. 2. Enable vulnerabilities. 3. Create a Remediation named Lab. 4. Schedule the remediation.
IA-PE-H7 Create, Schedule, and Export a Policy 1. Schedule the policy DISA Security Checklist (windows) for enforcement. 2. Create a policy. 3. Add vulnerabilities to the policy. 4. Export the policy. 5. Import the policy to your neighbor’s server.
