其他分享
首页 > 其他分享> > fourtwofour

fourtwofour

作者:互联网

SECURING ACME’S TRANSIT GATEWAY WITH NGFW
Background:
The developers of a web application are unable to access one of the web servers in a spoke VPC! The last engineer somehow deleted all the network diagrams of the production environment…

Your Task:
The goal of this task is to fix the routing issues and confirm that you can successfully ping both web servers from the jumpbox.

Getting Started:
Using the outputs from the CloudFormation template, SSH into JumpBox1 and validate connectivity to both WebSrv1 and WebSrv2 with ICMP. One of these instances is not reachable

Login to the EC2 console to get the private IP addresses of WebSrv1 and WebSrv2. (Note that any other protocols outside of ICMP are not going to work at the moment).

On a side note, when you SSH into JumpBox1, you are actually using portfowarding (on external TCP port 221) through the FGT’s Elastic IP so the traffic flows through the FortiGate instance and FortiOS policy for authorization and routing to JumpBox1. You should make sure you are off corporate VPN or any environment that would block you from connecting to the demo environment over TCP port 221.

Optionally you can use the outputs from the CloudFormation template to SSH directly into the FortiGate itself (on external TCP port 22) and use FortiOS commands like below to run packet captures and check the running routing table while you generate ICMP traffic from JumpBox1.

Alternatively if you prefer to use a GUI based SSH client, once you are logged into the FortiGate you can click on the >_ icon in the upper right hand corner of your screen and run the commands.

diag sniffer packet any ‘icmp’ 4 0 l

get router info routing-table all

Hint: You can leave the sniffer running while testing traffic to help solve the task.

For additional examples of how to use the built-in packet sniffer in FortiOS, reference the KB article here kb.fortinet.com.

Inventory:
You do know that the current environment is leveraging AWS VPC Transit Gateway to setup a security VPC and two spoke VPCs. These VPCs provide a hub and spoke design for centralized traffic inspection. The security VPC is the hub for all network traffic. All ingress, egress, and east-west traffic will flow through the FortiGate NGFW deployed in the security VPC. The spoke VPCs contain a webserver each and have their default route set to direct all traffic to the TGW attachments.

Services in Use:
AWS VPC Transit Gateway route tables, and FortiGate FortiOS routing.

Task Validation:
Once this task is completed successfully, the answer for this task will be provided by a lambda function that writes the answer into the file ‘task1-answer.txt’ in the S3 bucket indicated in the CloudFormation outputs. Download this file to get the answer for this task.

Miscellaneous:
On a side note, if you see this message below when using the SSH private key, you will need to change the permissions with ‘chmod 400 ~/keypair.pem’.

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

@ WARNING: UNPROTECTED PRIVATE KEY FILE! @

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

To fix the TGW routing issue, follow these steps:
Your AWS VPC Transit Gateway is missing a propagation setting, the following steps correct this misconfiguration.

Open the VPC console by navigating to the VPC service in the AWS Management Console.

Click on Transit Gateway Route Tables and select the TGWSecurityRouteTable.

Select the propagation tab and click create propagation.

On the create propagation screen, select the VPC attachment for spoke2 VPC and select create.

Select the routes tab and validate that you see the VPC CIDR for spoke2 now.

To fix the FortiGate routing issue, follow these steps:
Your FortiGate is missing a static route for reaching the second spoke VPC, the following steps correct this misconfiguration.

Using the FortiGateLoginURL, Username, and FgtInitialPassword outputs from the CloudFormation template, login to the FGT GUI.

You will be prompted to change the initial password. Make sure to save your new password somewhere secure.

After logging back in with your new password, on the menu on the left, navigate to Network then Static Routes.

Click the Create New button and use 10.2.0.0/16 as the destination, port2 as the interface, and 10.0.2.1 as the gateway address, finally click OK to apply your changes. The gateway address used is the AWS intrinsic router which is the first host IP in an AWS subnet.

Finally on the menu on the left, navigate to Monitor then Routing Monitor. Validate that the route for 10.2.0.0/16 is now in the running route table.

Task Validation:
Once this task has been completed successfully, the answer for this task will be provided by a lambda function creating the file ‘task1-answer.txt’ in the S3 bucket (this is in the CF template outputs as well). Download this file to get the answer for this task. Step by step directions to get the file are below.

Open the S3 console by navigating to the S3 service in the AWS Management console.

Using the S3Bucket output from the CloudFormation template, find the bucket with the same name.

Select the file ‘task1-answer.txt’ and download this to your machine.

Open the file with a text editor to see the answer you should provide for this task.

Background:
Your first and very stressful day continues at Acme. An application is currently accessible through the FortiGate. You need to validate that FortiOS is properly configured to detect and block common attacks before reaching the application. It looks like your predecessor failed to complete the configuration of the FortiGate.

Your Task:
The goal of this task is to run some basic penetration tests and block the threat using FortiGate Intrusion Prevention System (IPS) instead of just detecting the attacks and passing the traffic. Modify the FortiGate config for the ‘inbound_https_dvwa’ FW policy to successfully block these attacks.

Getting Started:
Access the HTTPS site using the CloudFormation template output ‘WebSrv1LoginURL’ and login with the credentials ‘admin’ and 'password’. Navigate to the Command Injection page and provide an IP address and click the ‘submit’ button. The intended use of this input field is to provide an IP or FQDN address for the web server to ping. However with just passing a command like the one below, we can access the list of users and the hash of local user passwords.

Make sure to enter the entire line (including the IP, pipe symbol, and additional linux commands) into the web page text box to test the vulnerability.

8.8.8.8 | cat /etc/passwd

Run the command above to confirm the application is vulnerable to this basic attack. Also log into the FortiGate and view the detected IPS alerts under Log & Report, Intrusion Prevention.

Inventory:
A FortiGate is setup with an EIP to provide public access to a Damn Vulnerable Web Application (DVWA).

Services in Use:
FortiOS IPS sensors and firewall policy.

Task Validation:
Once you have completed this task, navigate back to the Intrusion Prevention logs to acquire a completion string. This string answer is the AttackID (ie signature ID) for that particular attack. Make sure you input the answer into the Jam Console without any leading or trailing spaces.

Miscellaneous:

To generate inbound traffic, follow these steps:
Access the HTTPS site using the CloudFormation template output for ‘WebSrv1LoginURL’ and login with the credentials ‘admin’ and 'password’.

Navigate to the Command Injection page and in the text box, enter in the entire line below (including the IP, pipe symbol, and additional linux commands) into the web page text box to test the vulnerability.

For example you would paste in ‘8.8.8.8 | cat /etc/passwd’ minus the start and ending quote.

8.8.8.8 | cat /etc/passwd

If the commands run properly, the web page will return content of the /etc/passwd file in red.
To block the inbound attack, follow these steps:
Login to the FGT GUI and on the menu on the left, navigate to Policy & Objects, then IPV4 Policy, expand the interface pair for port1 to port2, then edit the ‘inbound_https_dvwa’ FW policy.

In the security profiles section, change the IPS sensor selected to any of the ones listed below:

all_default
default
high_security
protect_http_server
Validate that your SSL Inspection profile is still set to ‘ssl-mitm-https’ as this allows visibility within SSL\TLS protected sessions.

Finally on the menu on the left, navigate to Log & Report then Intrusion Prevention. Validate the attack logs are showing an action of ‘dropped’ and not ‘detected’.

Task Validation:
Once you have completed this task, navigate back to the Intrusion Prevention logs to acquire a completion string. This string answer is the AttackID (ie signature ID) for that particular attack. Make sure you input the answer into the Jam Console without any leading or trailing spaces.

Background:
As you continue your day you are now half way through penetration testing the new web application. Your manager wants to ensure all egress traffic to the internet is being protected from malware by the FortiGate.

Your Task:
The goal of this task is to block the download of malware even if they are downloaded over encrypted web protocols such as SSL\TLS. You will modify the FortiGate configuration for the ‘outbound_all’ FW policy to successfully block malware downloads.

Getting Started:
Navigate back to the Command Injection page of your application. This time use the following command to get your vulnerable application to download a known virus.

Make sure to enter the entire line (including the IP, pipe symbol, and additional linux commands) into the web page text box to test the vulnerability.

4.4.2.2 | curl -k https://secure.eicar.org/eicarcom2.zip

If the file downloads over the HTTPS session, you will see some content of the file returned as part of the HTML of the web application. At this point the attacker can run another simple Command Injection attack to finish infecting the host and spreading this throughout your environment through lateral attacks.

Inventory:
A FortiGate is setup with an EIP to provide internet access to a Damn Vulnerable Web Application (DVWA).

Services in Use:
FortiOS AntiVirus profiles, SSL Inspection profiles, and firewall policy.

Task Validation:
Once you have completed this task, navigate to the AntiVirus logs and the answer is the VirusID (ie signature ID) for that particular malware. Make sure you input the answer into the Jam Console without any leading or trailing spaces.

Miscellaneous:

To generate inbound traffic, follow these steps:
Access the HTTPS site using the CloudFormation template output ‘WebSrv1LoginURL’ and login with the credentials ‘admin’ and 'password’.

Navigate to the Command Injection page and in the text box, enter in the entire line below (including the IP, pipe symbol, and additional linux commands) into the web page text box to test the vulnerability.

For example you would paste in ‘4.4.2.2 | curl -k https://secure.eicar.org/eicarcom2.zip’ minus the start and ending quote.

4.4.2.2 | curl -k https://secure.eicar.org/eicarcom2.zip

If the commands are ran properly, the web page will return content of those files in red.
To block the inbound attack, follow these steps:
Login to the FGT GUI and on the menu on the left, navigate to Policy & Objects, then IPV4 Policy, expand the interface pair for port2 to port1, then edit the ‘outbound_all’ FW policy.

In the security profiles section, change the SSL Inspection profile selected to any of the ones listed below:

ssl-mitm-https
deep-inspection
custom-deep-inspection
Validate that your AntiVirus profile is still set to ‘default’.

Repeat the steps above in the ‘To generate inbound traffic’ section of this clue to generate traffic through the properly configured ‘outbound_all’ FW policy so you can generate AntiVirus logs.

Finally on the menu on the left, navigate to Log & Report then AntiVirus.

Task Validation:
Once you have completed this task, navigate to the AntiVirus logs and the answer is the VirusID (ie signature ID) for that particular malware. Make sure you input the answer into the Jam Console without any leading or trailing spaces.

Background:
The entire DevOps team is in your manager’s office yelling at him about missing SLAs for implementing change requests to allow communication through the new firewall! Can you save your manager’s life by using any FortiOS features to have a dynamic policy vs static policies with standard IP and FQDN based address objects?

Your Task:
The goal of this task is to fix the unresolved SDN address object ‘sdngrp_prod_jumpbox1’ which is used in the ‘east-west_mgmt’ FW policy. Other SDN address objects that are currently configured are resolving properly so the FortiOS SDN connector itself and permissions provided via the IAM instance role are functioning properly.

Getting Started:
You are using a FortiOS feature called SDN Connector to provide dynamic address objects based on matching metadata for running instances. This metadata can be information about the instance such as the instance ID, applied tags, security groups in use, or the vpc\subnet it is within.

Login to the FortiGate and navigate to Policy & Objects then Addresses and look at the address objects with the prefix ‘sdngrp_’. If you hover your mouse over the address object name, it will show what instance IPs are found based on the filter specified in the object. Compare the address objects that are resolving to the ones that are not. Also login to the EC2 console and compare the tags applied to the running instances and the address objects in the FortiGate.

Inventory:
A FortiGate is setup with an instance role which is providing EC2 describe rights for finding running instances based on tag name & value pairs.

Services in Use:
FortiOS SDN Connector, firewall policy, AWS EC2, and tags.

Task Validation:
Once this task is completed successfully, the answer for this task will be provided by a lambda function that writes the answer into the file ‘task4-answer.txt’ in the S3 bucket indicated in the CloudFormation outputs. Download this file to get the answer for this task.

To fix the unresolved address object, follow these steps:
The JumpBox1 instance is missing the tag AppId=jumpbox1.example.com. Log into the EC2 console and find the JumpBox1 instance.

Select the instance and in the instance details pane, select the Tags tab.

Select manage tags, then on the next screen add a tag name and value like below and apply your changes:

Key = AppId
Value = jumpbox1.example.com
Log into the FortiGate and navigate to Policy & Objects then Addresses.

Find the SDN object ‘sdngrp_prod_jumpbox1’ and make sure this is left at the default config. In 60 seconds or less, the FGT will automatically find this instance and update the SDN address object with the private IP.

Task Validation:
Once this task is completed successfully, the answer for this task will be provided by a lambda function that writes the answer into the file ‘task4-answer.txt’ in the S3 bucket indicated in the CloudFormation outputs. Download this file to get the answer for this task.

Open the S3 console by navigating to the S3 service in the AWS Management console.

Using the S3Bucket output from the CloudFormation template, find the bucket with the same name.

Select the file ‘task4-answer.txt’ and download this to your machine.

Open the file with a text editor to see the answer you should provide for this task.

Background:
You can almost see the light at the end of the tunnel, you have one last task to complete on your first day at Acme! The DevOps team are setting up additional web applications. The previous engineer tried to properly setup the public ALB and FortiGate to allow inbound web access but something is wrong with app2!

Your Task:
The goal of this task is to fix this issue left behind by the previous engineer so that both app1 & app2 present the default web page for the given application.

Getting Started:
Login to the FortiGate and navigate to Policy & Objects then IPv4 Policy and look at the ‘inbound_http_app1’ and ‘inbound_http_app2’ policies and the FQDN based VIPs being used. Also login to the EC2 console and navigate to the Load Balancers and Target Groups pages and compare the configurations seen for both applications.

Inventory:
You are using a public ALB with HTTP listener rules to route traffic based on HTTP path to different backend resources through the FortiGate. Currently there are two applications with dedicated paths. Reference the outputs from the CloudFormation template for the App1 and App2 URLs which can be used to generate traffic through the stack of load balancers and FortiGate.

This is a very high level overview of the traffic flow: Internet --tcp80–> Public ALB w/ HTTP routing based on URL path --tcp 8001 or 8002–> FGT w/ FQDN VIPs --tcp 80–> Private NLBs --tcp 80–> WebSrvs

The FortiGate is configured with FQDN based VIPs to forward traffic to the different backend NLB DNS names. These VIPs are being used in the ‘inbound_http_app1’ and ‘inbound_http_app2’ firewall policies. If you login to the FortiGate and hover over the VIP objects, you can see which IPs are resolved from DNS.

Optionally you can use the outputs from the CloudFormation template to SSH directly into the FortiGate itself (on external TCP port 22) and use FortiOS commands like below to run packet captures and check the running routing table while you generate HTTP traffic to both Apps.

Alternatively if you prefer to use a GUI based SSH client, once you are logged into the FortiGate you can click on the >_ icon in the upper right hand corner of your screen and run the commands.

diag sniffer packet any ‘(tcp port 8001) or (net 10.1.0.0/16 and tcp port 80)’ 4 0 l

diag sniffer packet any ‘(tcp port 8002) or (net 10.2.0.0/16 and tcp port 80)’ 4 0 l

get router info routing-table all

For additional examples of how to use the built-in packet sniffer in FortiOS, reference the KB article here kb.fortinet.com.

Services in Use:
FortiOS FQDN based VIPs, firewall policy, AWS ALB listener rules, and target groups.

Task Validation:
Once this task is completed successfully, the answer for this task will be provided by a lambda function that writes the answer into the file ‘task5-answer.txt’ in the S3 bucket indicated in the CloudFormation outputs. Download this file to get the answer for this task.

Miscellaneous:

To fix the ALB forwarding issue, follow these steps:
Open the EC2 console and navigate to Load Balancers and select the external ALB.

In the details pane for the external ALB, select the Listeners tab and click the ‘view/edit rules’ link for the HTTP listener.

Click the plus icon to insert a rule similar to the existing one for app1 but for app2’s base URL path like below and save your changes:

If: Path is ‘/app2/*’
Then: Forward to the ExtALBGrpApp2 target group
Navigate back to the EC2 console then go to the Target Groups page and select the ExtALBGrpApp2 target group.

The Targets tab will show that the ALB is forwarding traffic to the FortiGate on port tcp 8002 for app2’s traffic but the health checks and actual traffic flow are still failing.

To fix the FGT policy issue, follow these steps:
Login to the FGT GUI and on the menu on the left, navigate to Policy & Objects, then IPV4 Policy, expand the interface pair for port1 to port2, then edit the ‘inbound_http_app2’ FW policy.

In the NAT section, toggle the NAT feature and leave the IP Pool configuration to the default which is ‘Use Outgoing Interface Address’ and save your changes.

Make sure that your ‘inbound_http_app1’ and ‘inbound_http_app2’ policies are the same outside of the policy names and destination objects used.

Task Validation:
Once this task is completed successfully, the answer for this task will be provided by a lambda function that writes the answer into the file ‘task5-answer.txt’ in the S3 bucket indicated in the CloudFormation outputs. Download this file to get the answer for this task.

Open the S3 console by navigating to the S3 service in the AWS Management console.

Using the S3Bucket output from the CloudFormation template, find the bucket with the same name.

Select the file ‘task5-answer.txt’ and download this to your machine.

Open the file with a text editor to see the answer you should provide for this task.

CAN YOU FIX MY CHATBOT?

Jeff is IT director of the one of the largest floral companies in the world. As chatbots are getting increasingly popular, he had led his team to successfully deploy a simple chatbot for customers purchasing flowers.

However, the chatbot project was done in a rush. As more customers use the bot some errors are being reported. Jeff is looking at improving the chatbot and identified a few areas of improvements> He is asking you, “Can you fix my chatbot?”

Task 1: The more, the merrier
Fix the Top Complaint

Jeff informs you that the top complaint from customers is that “the chatbot doesn’t understand me.”

Does it sound familiar to you? Do you have such experiences before?

Jeff told you that many customers start chatting with the chatbot by saying or typing “hi” or “can i get it tmr?” Common abbreviations are often used by customers and the chatbot will need to appropriately respond.

How can you help Jeff correct this?

Getting Started

Go to the Output Properties.

Look for WebAppUrl.

Click to open the WebAppUrl. Alternatively, look for the output tab on the left side of the challenge.

Test the chatbot. If you follow the instruction and ask “buy flowers”, it will ask you, “what type of flowers would you like to order?”. You can see an expected response below.

Refresh the page and simulate what Jeff has told you by typing “hi”.

You can refresh the page and type “can i get it tmr?” to validate the bot error.

Go to the Amazon Lex console, open the chatbot WebUiOrderFlowers. Start trouble shooting and help Jeff fix this problem.

Inventory

Amazon lex chatbot
Services you should use

Amazon Lex
User experience design
Task Validation

Once you fix the Chatbot, remember to SAVE and BUILD. Validate if you completed the task with the following steps,

Refresh the chatbot testing window or clear chat history before starting a new conversation.
Enter “hi” or “can I get it tmr?” again, and see if the chatbot still replys you “I didn’t understand you, …” If the chatbot starts asking you what flowers to order, it means the problem has been fixed! If not, take a look at the Clues section.
Copy the chatbot’s response to your “hi”, and paste into the Answers secion.
Tips in using Amazon Lex

There is a “Test Chatbot” window on the right side of the console, you can test it in the AWS console as well.

Task 2: Handle the ERRORS
Another Complaint

Jeff is also struggling with a high user drop-off rates with the chatbot. If a users says something that the chatbot cannot handle, the chatbot responds “I didn’t understand you…”

Do you have any ideas?

Getting Started

Simulate the situation by typing “good day to you” and see the chatbot response.
Trouble shoot and try other phrases. How would you more gracefully handle these errors?
Once you fix it, remember to SAVE and BUILD, type “good day to you” and see the chatbot’s behavior. And key in the Amazon Lex feature you have used in this task into the Answers section.
Inventory

Amazon Lex Chatbot
Services you should use

Amazon Lex
User experience design
Task Validation

You should get the exact name of this feature in the Amazon Lex console. It is the exact name of the overall feature and is case sensitive.

Task 3: No Repeat
You are almost done

Jeff is very happy with your work so far. He gives you one last task.

Some users say “I have already told the chatbot to buy roses, but the chatbot still asks me what flower to buy. I have to repeat that again.”

Jeff has extracted the customer conversation history and it shows that some customers asked “can i get roses tmr 3pm?” the chatbot asked the customer again “What type of flowers would you like to order?”.

Being customer obsessed, Jeff hopes the chatbot can be smart enough to capture all the customers’ requirements at once, so that the customers don’t need to repeat themselves.

Getting Started

Simulate the situation.
Start trouble shooting and fix this problem.
Inventory

Amazon Lex chatbot
Services you should use

Amazon Lex
User experience design
Task Validation

Once you fix it, remember to SAVE and BUILD. Validate if you have completed the task with the following steps,

Refresh the chatbot testing window or clear chat history before starting a new conversation.
Enter “Can I get roses on Monday 3pm?” in the chatbot conversation window
If the chatbot replies “Okay, your roses will be ready for pickup by 15:00 on 2020-10-26. Does this sound okay?”, you have fixed the problem. If not, take a look at the clue section.
Reply the chatbot with “ok”, and copy the chatbot’s response for the answer section.

EDA TO SAVE THE DAY!
Working for Protosight, the CISO frantically calls you stating that employees are receiving mysterious emails from someone calling themselves the WOPR with strange demands. Collaborating with federal law enforcement she has learned this is not a hoax and other companies have already been targeted by the WOPR! Victimized companies have been able to capture limited amount of traffic data before their systems were shut down spewing complicated tic-tac-toe games across monitors. Can you help provide predictions of malicious traffic from the Protosight’s data so the company can stop the threat of the worrisome WOPR?
Task 1: Only the best tricks for Mister Potato Head

Background

Victim traffic data can be found in the AWS Open Registry (https://registry.opendata.aws/cse-cic-ids2018/). To save time, the Protosight SOC has suggested using the following data which most closely matches that of Protosight.

s3://cse-cic-ids2018/Processed Traffic Data for ML Algorithms/Wednesday-28-02-2018_TrafficForML_CICFlowMeter.csv
Your Task

Based on the CISO’s directive, load the historical network data into a pandas dataframe so that Protosight analysts can start using the data.

To ensure the data is properly loaded provide the “Flow Duration” for record 100.

Getting Started

Open the Amazon Sagemaker console by navigating to the Sagemaker service in the AWS Management Console
Under Notebook choose Notebook instances.
Open the instance that starts with EDA, click the “Open Jupyter” button.
Create a new blank notebook.
Test that Cells are properly creating and executing in the notebook. (IE: 1+1, or “a”==“a”)
Troubleshooting

Some errors you might run into:

Be sure to install s3fs and restart sagemaker if needed.
pip install s3fs
Be careful to verify that data is loaded correctly. Remove any incorrect data.
Inventory None

Services you should use

Sagemaker
S3
Python 3 (You can use R or Python 2, however, clues are all Python 3)
Task Validation

You will need to find and submit the required data.

Your first cell should load the s3 data into a dataframe. With boto3, pandas, and s3fs you can do this in one line.

Cell 1:

import boto3
import pandas as pd
import s3fs
df = pd.read_csv(‘s3://cse-cic-ids2018/Processed Traffic Data for ML Algorithms/Wednesday-28-02-2018_TrafficForML_CICFlowMeter.csv’,low_memory=False)

Exploring the data, you might see that some items are misread. In particular the formatting of this data might duplicate header information.

An easy way to see this is by looking at the “Label” column.

df["Label"].value_counts()

You should only see two values “Benign” and “Infiltration”. If you do see “Label” it means the headers were incorrectly loaded into the dataframe. This can be fixed with the following code.

df = df[df.Label != “Label”]

Open the Amazon Sagemaker console by navigating to the Sagemaker service in the AWS Management Console
Under Notebook choose Notebook instances.
Open the instance that starts with EDA, click the “Open Jupyter” button.
You should see an empty page with Jupyter in the top right, on the right side click the “New” button and conda_python3.
Create and run the following cells in your notebook.
Cell 1:

import boto3
import pandas as pd
import s3fs
df = pd.read_csv(‘s3://cse-cic-ids2018/Processed Traffic Data for ML Algorithms/Wednesday-28-02-2018_TrafficForML_CICFlowMeter.csv’,low_memory=False)
Cell 2:

df = df[df.Label != “Label”]
df[100:101]
You should be able to see that row 100 has a “Flow Duration” of 247

标签:into,task,chatbot,fourtwofour,answer,FortiGate,your
来源: https://blog.csdn.net/Tzwf01/article/details/120754722