0% found this document useful (0 votes)
66 views20 pages

LAB - Explore Endpoint Security

The document discusses exploring endpoint security technologies on Windows and Linux systems. It describes enabling Windows Defender antivirus on an Windows VM, introducing malware, and demonstrating how Windows Defender detects and removes the malware. It also discusses exploring Windows Firewall and Linux firewalls like IPTables and TCP wrappers.

Uploaded by

Ganesh Gupta
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
66 views20 pages

LAB - Explore Endpoint Security

The document discusses exploring endpoint security technologies on Windows and Linux systems. It describes enabling Windows Defender antivirus on an Windows VM, introducing malware, and demonstrating how Windows Defender detects and removes the malware. It also discusses exploring Windows Firewall and Linux firewalls like IPTables and TCP wrappers.

Uploaded by

Ganesh Gupta
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 20

10/24/23, 7:35 AM Explore Endpoint Security | Understanding Endpoint Security Technologies

Explore Endpoint Security


In this lab exercise, you will explore the behavior of two endpoint security applications that are part of the
base Windows operating system distribution: Windows Defender and Windows Firewall. At the start of the
lab, both Windows Defender and Windows Firewall are disabled on the Inside-Win VM. You will introduce
malware to the desktop of Inside-Win and then enable Windows Defender. You will see that it detects and
quarantines the malware and allows you to then remove the malware. You will demonstrate that Windows
Defender prevents a reintroduction of the malware once it is enabled. And you will generate and view
Windows Defender logs. With Windows Firewall, you will demonstrate that the Inside-Win VM can be
pinged from other systems while the Windows Firewall is disabled. You will then enable Windows Firewall
and demonstrate that its default policy does not allow inbound ICMP echoes. And you will update a rule in
Windows Firewall and demonstrate that it can behave differently for public and private networks.

You will also explore two personal firewall systems that are common in Linux distributions. They are
IPtables and TCP wrappers. With IPtables, you can define policies that control the flow of IP packets in and
out of a Linux host. With TCP wrappers, you can define policies that control accessibility of individual
services on a Linux host. You will perform some simple configurations and verify the configurations using
both firewall options.

Refer to the Job Aid for important information about files that are provided on the DVD drive. The DVD
drive includes a text file of the commands that are long or include special characters. Copy and paste the
commands if you are having issues with the support of your keyboard (especially on the Linux-based VMs),
or to avoid typos when entering long or complex commands. For the Windows devices, the DVD drive also
includes files that enable you to access the Windows on-screen keyboard or add an international keyboard.

Note

After your lab initializes, it may take a few more minutes for ELSA and Sguil to initialize before you
can launch them from the Security Onion Desktop.

You are using a US English keyboard layout. This cannot be changed once the lab has initialized.
Change Keyboard Layout

Visit Device Help for info about changing the OS keyboard layout and screen resolution after lab
initialization.

You may navigate away from this page once you begin initializing the lab.
You will be notified once the devices are ready.

Initialize Lab

https://ondemandelearning.cisco.com/apollo-alpha/mc_salyst110_23/pages/10 1/20
10/24/23, 7:35 AM Explore Endpoint Security | Understanding Endpoint Security Technologies

Explore Endpoint Security

Explore Windows Defender


Antivirus software was one of the earliest host-based security technologies. In the early days, antivirus
software was mainly signature-based. The software looked for bit patterns in files and in the Windows
registry. When web servers started to insert persistent tracking cookies into web browsers, antispyware
developed as a new type of host-based security application. As the technology continued to evolve, antivirus
and antispyware were commonly merged into a single application. Also, the technology continued to evolve.
Some host-based software could pay attention to the behavior of executables, recognizing malware by
malicious actions instead of bit patterns in files. Centralized management and centralized event collection
were introduced into some systems. Cloud-based services evolved too. The vast storage capacity of the
cloud allows for robust protection with a thin client. Hashes of new files can be passed to the cloud for
validation. These newer features: behavior analysis, centralized configuration and event management, and
cloud-based services are often included in what has been called host-based intrusion prevention systems.
The low efficacy of signature-based techniques has given antivirus a bad name. As the software vendors
evolve their products, they often change their product classification from antivirus to anti-malware.

In this task, you will explore Windows Defender, which is an anti-malware product that is distributed as part
of the Windows operating system. The Inside-Win VM currently has Windows Defender disabled. Without
host-based protection, the VM is quite vulnerable to malware. You will start by copying a malicious file to the
Inside-Win hard drive. You will then enable Windows Defender, and then you will explore the results.

Step 1

Access the desktop of Inside-Win. Launch the file explorer and navigate to the D:\SECFND directory.

Step 2

The file reverseSh-235.exe contains malware which will spawn a connection to 209.165.200.235 if
executed. Drag and drop this file from the DVD drive to the Inside-Win desktop.

Step 3

In the next few steps, you will enable Windows Defender. The process is somewhat involved. It takes
the configuration of Group Policy to enable or disable Windows Defender. Start by launching the
Local Group Policy Editor. From the Windows Start menu, type group policy in the Search field and

https://ondemandelearning.cisco.com/apollo-alpha/mc_salyst110_23/pages/10 2/20
10/24/23, 7:35 AM Explore Endpoint Security | Understanding Endpoint Security Technologies
select Edit Group Policy. There are two template errors, which are known issues. Click OK to
acknowledge each of the errors.

Step 4

In the Local Group Policy Editor, navigate to Local Computer Policy > Computer
Configuration > Administrative Templates > Windows Components > Windows Defender.

Step 5

In the right pane, find the Turn off Windows Defender setting, and double-click to edit the setting.

Step 6

Currently the setting is enabled, turning off Windows Defender. Select Disabled and click OK. Close
the Local Group Policy Editor window.

Step 7

Windows Defender is now enabled, but it isn't running yet. From the Windows Start Menu,
enter defender in the Search field and select Windows Defender.

Step 8

Windows Defender shows that the real-time protection is off and the virus and spyware definitions are
out of date. Click Start Now. Wait for the status to change to On and Up to date.

https://ondemandelearning.cisco.com/apollo-alpha/mc_salyst110_23/pages/10 3/20
10/24/23, 7:35 AM Explore Endpoint Security | Understanding Endpoint Security Technologies

Step 9

Windows Defender will find the malicious file on the desktop fairly quickly. You can speed up the
process. Select the reverseSh-235.exe file on the desktop, right-click, and select Scan with
Windows Defender. The icon will disappear from the desktop.

Step 10

Select the History tab in Windows Defender. With Quarantined Items selected, click View details.

Step 11

There should be one detected item: Trojan:Win32/Swrort.A. Select it and view the details in the
lower pane. Note that it is classified as a Trojan, the recommendation is to remove it immediately, and
the specific file was C:\Users\admin\Desktop\reverseSH-235.exe. With the detected item selected,
click Remove. The file is permanently deleted.

Step 12

The file does still exist on the DVD-ROM. Since it is a ROM image, it is not writable. The file cannot
be deleted from the DVD-ROM. Attempt to drag-and-drop reverses-235.exe from the DVD-ROM to
the desktop one more time. Note that the action is interrupted. You can click Try Again a few times,
but the result will be the same. Click Cancel to cancel the copy attempt.

Step 13

Try to execute reverses-235.exe directly from the DVD-ROM. Note that, again, the action is blocked.
Click OK to confirm the warning.

https://ondemandelearning.cisco.com/apollo-alpha/mc_salyst110_23/pages/10 4/20
10/24/23, 7:35 AM Explore Endpoint Security | Understanding Endpoint Security Technologies

Step 14

Anti-malware logs can be useful in an incident investigation. In the next few steps, you will examine
logs that can be retrieved from Windows Defender. Start by opening a command prompt as
administrator. From the Windows Start menu, right-click Command Prompt and select Run as
administrator. Click Yes to acknowledge the warning.

Step 15

Generate the Windows Defender logs. Enter the command cd "C:\Program Files\Windows
Defender" command. Enter the MpCmdRun -getfiles command.
Answer

C:\Windows\system32>cd "c:\Program Files\Windows Defender"


c:\Program Files\Windows Defender>MpCmdRun -getfiles
Collecting events from Operational Event Log...
Collecting events from WHC Event Log...
Getting CBS log...
Collecting configuration information...
<output omitted>
Creating CAB file...
Files successfully created in C:\ProgramData\Microsoft\Windows Defender\Support
c:\Program Files\Windows Defender>

Step 16

In the File Explorer window, navigate to C:\ProgramData\Microsoft\Windows Defender\Support.


Acknowledge the permission requirement to complete this action.

Step 17

A few files are in this Support directory, including a file with a name that starts with MPDetection,
which is followed by a date and time stamp and the .log extension. Right-click this file and select Edit
with Notepad++. Note the entries in the bottom of the log file that are associated with
the reverseSH-235.exe file. Close the window.

https://ondemandelearning.cisco.com/apollo-alpha/mc_salyst110_23/pages/10 5/20
10/24/23, 7:35 AM Explore Endpoint Security | Understanding Endpoint Security Technologies

Step 18

The MPLog file has much more detail than MPDetection. Optionally you can open the log and
examine the information that is included there. When you are done, close the open windows on the
Inside-Win desktop.

Explore Windows Firewall


Personal firewalls are network filtering applications that run directly on the host operating system. If the
personal firewalls are centrally managed, they may be considered to be distributed firewalls. Instead of a
network-based firewall implementing policy between subnets, the distributed firewall implements policy on
each individual host.

Similar to Windows Defender, the Windows Firewall is included in the base Windows OS. Also like Windows
Defender, the Windows Firewall was disabled on the Inside-Win VM. In this section of the lab exercise, you
will explore the functionality of the Windows Firewall.

Step 19

Access the desktop of Inside-Kali. Open a terminal window and ping Inside-Win (10.10.6.10). The
ping should succeed. Use <Ctrl-C> to stop the ping.
Answer

root@Inside-Kali:~# ping 10.10.6.10


PING 10.10.6.10 (10.10.6.10) 56(84) bytes of data.
64 bytes from 10.10.6.10: icmp_seq=1 ttl=128 time=0.930 ms
64 bytes from 10.10.6.10: icmp_seq=2 ttl=128 time=0.303 ms
64 bytes from 10.10.6.10: icmp_seq=3 ttl=128 time=0.372 ms
<Ctrl-C>
--- 10.10.6.10 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2000ms
rtt min/avg/max/mdev = 0.303/0.535/0.930/0.280 ms

Step 20

Return to the Inside-Win desktop. From the Windows Start menu, type firewall in the search field
and select Windows Firewall. Be careful not to select Windows Firewall with Advanced Security.

https://ondemandelearning.cisco.com/apollo-alpha/mc_salyst110_23/pages/10 6/20
10/24/23, 7:35 AM Explore Endpoint Security | Understanding Endpoint Security Technologies

Step 21

You should now be at the Windows Firewall in the Control Panel. Windows Firewall is currently off.
Click Use recommended settings. The Windows Firewall should now be on. It is configured for both
Private and Public networks, but the current active network is Private.
Answer

Step 22

Return to the Inside-Kali desktop. Attempt the ping again. It should fail this time. After a few seconds,
use <Ctrl-C> to stop the ping application.
Answer

root@Inside-Kali:~# ping 10.10.6.10


PING 10.10.6.10 (10.10.6.10) 56(84) bytes of data.
<Ctrl-C>
--- 10.10.6.10 ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 4032ms

Note the following:

The Windows Firewall is blocking the ICMP echo requests as they arrive at Inside-Win. They are
not processed by the TCP/IP stack. Hence, no ICMP echo replies are generated.

Step 23

You will configure firewall settings for the FileZilla Server on Inside-Win in the next two steps. Return
to the Inside-Win desktop. Select the Allow an app or feature through Windows Firewall link on

https://ondemandelearning.cisco.com/apollo-alpha/mc_salyst110_23/pages/10 7/20
10/24/23, 7:35 AM Explore Endpoint Security | Understanding Endpoint Security Technologies
the left side of the Windows Firewall window.

Step 24

Find FileZilla Server in the list. Note that it is currently enabled for both Private and Public networks.
Uncheck Public for FileZilla Server. Click OK.
Answer

Step 25

Verify that the current network connection is configured as a private network. Right-click the network
status icon on the right side of the Windows task bar and select Open Network and Sharing
Center. Verify that the active network is a Private Network. Leave this window open. You will refer to
it again soon.
Answer

Step 26

Verify that FileZilla Server access is allowed through the firewall from the current private network
connection. Return to the desktop of Inside-Kali. FTP to Inside-Win (10.10.6.10). The connection
should succeed. Log in as anonymous.
Answer

root@Inside-Kali:~# ftp 10.10.6.10


Connected to 10.10.6.10.
220-FileZilla Server 0.9.56 beta
220-written by Tim Kosse ([email protected])

https://ondemandelearning.cisco.com/apollo-alpha/mc_salyst110_23/pages/10 8/20
10/24/23, 7:35 AM Explore Endpoint Security | Understanding Endpoint Security Technologies
220 Please visit https://filezilla-project.org/
Name (10.10.6.10:root): anonymous
331 Password required for anonymous
Password: AnyPassIsAccepted
230 Logged on
Remote system type is UNIX.
ftp>

Step 27

Issue the dir command and verify that a directory is received. Use the get command to retrieve
the OneKB.bin file. This should succeed. Use the quit command to terminate the connection.
Answer

ftp> dir
200 Port command successful
150 Opening data channel for directory listing of "/"
drwxr-xr-x 1 ftp ftp 0 Apr 05 2016 etc
drwxr-xr-x 1 ftp ftp 0 Apr 05 2016 files
-rw-r--r-- 1 ftp ftp 104857600 May 22 2013 OneHundredMB.bin
-rw-r--r-- 1 ftp ftp 1024 May 22 2013 OneKB.bin
-rw-r--r-- 1 ftp ftp 1048576 May 22 2013 OneMB.bin
drwxr-xr-x 1 ftp ftp 0 Apr 05 2016 private
-rw-r--r-- 1 ftp ftp 10485760 May 22 2013 TenMB.bin
226 Successfully transferred "/"

ftp> get OneKB.bin


local: OneKB.bin remote: OneKB.bin
200 Port command successful
150 Opening data channel for file download from server of "/OneKB.bin"
226 Successfully transferred "/OneKB.bin"
1024 bytes received in 0.02 secs (41.3240 kB/s)

ftp> quit
221 Goodbye

Step 28

Change the configuration of the Inside-Win network connection to public. Return to the Inside-Win
desktop. Use a standard left-click the network status icon on the right side of the Windows task bar,
and will an information panel will pop up. Select Network Settings from the panel.

https://ondemandelearning.cisco.com/apollo-alpha/mc_salyst110_23/pages/10 9/20
10/24/23, 7:35 AM Explore Endpoint Security | Understanding Endpoint Security Technologies

Step 29

In the NETWORK & INTERNET window, verify that the Ethernet connection is selected, and then
click Ethernet No Internet in the right-hand pane.
Answer

Step 30

The ETHERNET window opens. Under the Make this PC discoverable heading, slide the switch
from On to Off.
Answer

https://ondemandelearning.cisco.com/apollo-alpha/mc_salyst110_23/pages/10 10/20
10/24/23, 7:35 AM Explore Endpoint Security | Understanding Endpoint Security Technologies

Step 31

Close the Settings window and return to the Network and Sharing window. Verify that the network
connection is now considered to be a public network.
Answer

Step 32

Close the Network and Sharing window and return to the Windows Firewall on the Control Panel.
Verify that the firewall status shows that it is not connected to a private network, but now is connected
to a guest or public network.
Answer

https://ondemandelearning.cisco.com/apollo-alpha/mc_salyst110_23/pages/10 11/20
10/24/23, 7:35 AM Explore Endpoint Security | Understanding Endpoint Security Technologies

Step 33

You configured the Windows Firewall to only allow connectivity to the FileZilla Server when on private
networks. Demonstrate that the Inside-Kali VM can no longer access FTP on Inside-Win. Access the
desktop of Inside-Kali. Attempt to issue the ftp 10.10.6.10 command a second time. The
connection will not be allowed. The attempt will eventually time out, but you can use <Ctrl-C> to
terminate it sooner.
Answer

root@Inside-Kali:~# ftp 10.10.6.10


<Ctrl-C>
root@Inside-Kali:~#

Explore IPtables and TCPwrappers


There are several options for personal firewalls on Linux systems, but two are widely deployed, and can be
used together or independently. The first is the Linux firewall, or net filter, which is often called IPtables
because it is configured with the iptables command. The second is TCPwrappers, which are configured
with the /etc/hosts.allow and /etc/hosts.deny files. The IPtables option is used to control access to IP
protocols and TCP and UDP ports. The TCPwrappers option is used to control access to particular services
running on the Linux host. The TCPwrappers option does not work with all services. It only works with
services that are launched by an inetd superserver daemon (such as xinetd) or services that are "TCP
wrapped" because they were compiled with the libwrap.so library. The Apache HTTP daemon is an
example of a service that is not TCP wrapped. Apache has a built-in module to provide similar firewall
services for itself.

In this task, you will explore some simple configurations of both IPtables and TCPwrappers on the Inside-
Srv. You will use IPtables to control access to TCP ports 80 and 443, which are the two ports that the
Apache HTTP daemon listens to. You use TCP wrappers to control access to the SSH daemon. In both
cases, you will test accessibility to the Inside-Srv from Inside-Kali and Inside-Win.

Step 34
https://ondemandelearning.cisco.com/apollo-alpha/mc_salyst110_23/pages/10 12/20
10/24/23, 7:35 AM Explore Endpoint Security | Understanding Endpoint Security Technologies

Access the Inside-Win desktop. Launch the Firefox browser. Verify that you can browse http://inside-
srv.abc.private.

Step 35

Access the desktop of Inside-Kali. Launch the Iceweasel browser. Verify that you can
browse http://inside-srv.abc.private.

Step 36

Access the Inside-Srv desktop. Launch a Terminal window. Use the iptables command to append a
rule that will drop inbound packets that are destined to TCP port 80.
Answer

root@inside-srv:~# iptables -A INPUT -p tcp --dport 80 -j DROP

Note the following:

The -A argument instructs iptables to append a rule to the end of the rule list.
There are three chains that are supported by IPtables. INPUT is for inbound packets. OUTPUT is
for outbound packets that are generated by the local host. FORWARD is for packets that are
routed through the host. The FORWARD chain is only appropriate when IP forwarding is configured
on the host.
The -p argument specifies the protocol and the --dport argument specifies the destination port.
The -j argument specifies what to do with matching packets. Options include DROP, REJECT,
and ACCEPT. DROP will silently drop a packet, while REJECT will drop the packet and send an
ICMP unreachable message back to the sender.

Step 37

Test the current behavior. Attempt to refresh the browser on both Inside-Win and Inside-Kali. In both
cases, the refresh should spin. It will eventually time out. You don't have to wait for the timeout.

https://ondemandelearning.cisco.com/apollo-alpha/mc_salyst110_23/pages/10 13/20
10/24/23, 7:35 AM Explore Endpoint Security | Understanding Endpoint Security Technologies

Step 38

Return to the Inside-Srv desktop. Rules are interpreted in order. Insert a new rule in position 1
that permits packets to TCP port 80 as long as they are sourced from 10.10.6.11.
Answer

root@inside-srv:~# iptables -I INPUT 1 -p tcp --dport 80 -s 10.10.6.11 -j ACCEPT

Step 39

Use the -L argument to display the current IPtables rule list.


Answer

root@inside-srv:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 10.10.6.11 anywhere tcp dpt:http
DROP tcp -- anywhere anywhere tcp dpt:http

Chain FORWARD (policy ACCEPT)


target prot opt source destination

Chain OUTPUT (policy ACCEPT)


target prot opt source destination

Note the following:

Two rules should be defined for the INPUT chain and no rules for FORWARD or OUTPUT.
The first rule should permit HTTP access for 10.10.6.11 and the second rule should deny HTTP
access for all other systems.
If you made a mistake, you can delete rules from a chain with the -D argument and specifying the
rule number. For example, iptables -D INPUT 1 .

Step 40

With the ACCEPT rule for 10.10.6.11 (Inside-Kali) preceding the DROP rule for all hosts, Inside-Kali
should be able to browse http://inside-srv.abc.private, but Inside-Win should not. A refresh from
Inside-Kali should complete quickly. A refresh from Inside-Win should spin for a while and eventually
timeout.

https://ondemandelearning.cisco.com/apollo-alpha/mc_salyst110_23/pages/10 14/20
10/24/23, 7:35 AM Explore Endpoint Security | Understanding Endpoint Security Technologies

Step 41

The rules only affect port 80 for HTTP access. Apache is also listening on TCP port 443 for HTTPS
(SSL/TLS) access. Attempt to browse https://inside-srv.abc.private from both Inside-Win and
Inside-Kali. The attempt should succeed from both systems.

Step 42

Return to the Inside-Srv desktop. Add rules in the opposite orientation for HTTPS. That is, append a
rule to the end of the list that denies access to TCP port 443 from all sources, and add a rule that
permits access to TCP port 443 from Inside-Win (10.10.6.10).
Answer

root@inside-srv:~# iptables -A INPUT -p tcp --dport 443 -j DROP


root@inside-srv:~# iptables -I INPUT 1 -p tcp --dport 443 -s 10.10.6.10 -j ACCEP

Step 43

Verify the current rule list using the -L argument. You can also specify the INPUT chain to avoid
having the OUTPUT and FORWARD chains included in the output.
Answer

root@inside-srv:~# iptables -L INPUT


Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 10.10.6.10 anywhere tcp dpt:https
ACCEPT tcp -- 10.10.6.11 anywhere tcp dpt:http
DROP tcp -- anywhere anywhere tcp dpt:http
DROP tcp -- anywhere anywhere tcp dpt:https

Note the following:

The two specific ACCEPT rules for 10.10.6.10 and 10.10.6.11 must be before the two general
DROP rules.
If you made a mistake, you can delete rules from a chain with the -D argument and specifying the
rule number. For example, iptables -D INPUT 1 .

https://ondemandelearning.cisco.com/apollo-alpha/mc_salyst110_23/pages/10 15/20
10/24/23, 7:35 AM Explore Endpoint Security | Understanding Endpoint Security Technologies

Step 44

Retest access to https://inside-srv.abc.private from both Inside-Win and Inside-Kali. In this case,
the refresh should succeed from Inside-Win but fail from Inside-Kali.

Step 45

Now it is time to demonstrate TCPwrappers. The TCPwrappers option is configured with


the /etc/hosts.allow and etc/hosts.deny files. Return to the Inside-Srv desktop. Double-click
the Inside-Srv icon on the desktop to launch the Computer Browser. Select File System and
navigate to /etc.

Step 46

The syntax for rules in these files follows this format:

<daemon list>: <client list> [: <option>: <option>: ...]

Step 47

Double-click the hosts.deny file to open it in Leafpad. The default hosts.deny file only contains
comments (lines starting with #). Add a rule on a new line, after the comments, that specifies all
clients for the SSH daemon.

sshd : ALL

Step 48

Save and close the hosts.deny file.

https://ondemandelearning.cisco.com/apollo-alpha/mc_salyst110_23/pages/10 16/20
10/24/23, 7:35 AM Explore Endpoint Security | Understanding Endpoint Security Technologies

Step 49

Double-click the hosts.allow file to open it in Leafpad. Add a rule on a new line after the comment
that specifies specifically 10.10.6.10 for the SSH daemon.

sshd : 10.10.6.10

Step 50

Save and close the hosts.allow file.

Step 51

Test SSH access from Inside-Kali. Attempt the ssh 10.10.4.20 command from a terminal window.
The attempt should fail.
Answer

root@Inside-Kali:/etc# ssh 10.10.4.20


ssh_exchange_identification: read: Connection reset by peer

Step 52

Test SSH access from Inside-Win. Launch PuTTY from the Windows Start menu. Enter 10.10.4.20 in
the Host Name (or IP address) field. Leave the port at 22 and the connection type at SSH.
Click Open. The connection should be successful. Authenticate as root using the
password Cisco123!.
Answer

login as: root


[email protected]'s password: Cisco123!
Linux inside-srv 3.14-kali1-amd64 #1 SMP Debian 3.14.5-1kali1 (2014-06-07) x86_6

The programs included with the Kali GNU/Linux system are free software;
https://ondemandelearning.cisco.com/apollo-alpha/mc_salyst110_23/pages/10 17/20
10/24/23, 7:35 AM Explore Endpoint Security | Understanding Endpoint Security Technologies
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Kali GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent


permitted by applicable law.
Last login: Tue Oct 11 21:52:44 2016 from 10.10.6.10
root@inside-srv:~#

Step 53

Use the exit command to terminate the SSH session and close the PuTTY window.

Note that the policy that you configured with both IPtables and TCP wrappers is of a permit unless explicitly
denied variety. Usually it is very difficult to quantify all the traffic that should be denied, while it is easier to
quantify the services that are intended to be provided by a server. Therefore, when implementing firewall
policy, a deny unless explicitly permitted policy is usually preferred. The examples show some of the
capability and behavior of the two personal firewalls. Both IPtables and TCP wrappers have many more
features and functionality than was demonstrated here.

https://ondemandelearning.cisco.com/apollo-alpha/mc_salyst110_23/pages/10 18/20
10/24/23, 7:35 AM Explore Endpoint Security | Understanding Endpoint Security Technologies

https://ondemandelearning.cisco.com/apollo-alpha/mc_salyst110_23/pages/10 19/20
10/24/23, 7:35 AM Explore Endpoint Security | Understanding Endpoint Security Technologies

https://ondemandelearning.cisco.com/apollo-alpha/mc_salyst110_23/pages/10 20/20

You might also like