Exercises IT Security SE SS 2024

René Pfeiffer <[email protected]>

The exercises are demonstrations where you can implement the IT security strategies discussed in the lecture. The idea is
to document everything you do in the form of a laboratory protocol. Make sure you record everything, beginning with setup
and configuration, motivation, and particular reasons for selecting the specific security configuration. If things go wrong
during your work on the exercise or you encounter challenges, please document this as well! Sometimes you will run into
problems. When this happens, make sure you write down what happened. It’s a result, too.
The following units are suggestions for exercises to be done individually or in groups of up to two (or three) students. In
case you work as a group, please make sure that you really do.
1. Install and configure a web server with a database server. Make sure that you only install the services you need and
that no extra services are accessible via the network. Suggestion for the operating system is Debian 12 „Bookworm“ or
Ubuntu Server (Raspian is also a good choice if you use a Raspberry Pi computer). Of course you can use a Microsoft®
Windows Server or a OS X system as well. Suggestions for the web application are the following (the list is incomplete,
there are a lot of web applications out there):
• Drupal
• Forum software (for example phpBB, …)
• Joomla!
• NextCloud
• Odoo
• OwnCloud
• Typo3 with multiple domains (at least two)
• WordPress
• Zarafa
• Zimbra
The applications all run with the MySQL, Postgres, or MariaDB database server (which can be installed from the
packages of the operating systems).
Security hardening can be done at various levels (this is why this exercise can be done in a group of up to three).
• Operating system (software selection, privileges and account, permissions in the filesystem, network ports, …)
• Database server (privileges and account, permissions in the filesystem, access control, …)
• Web server
• Web application
2. Install and configure a Wi-Fi network infrastructure, then apply all IT security guidelines to harden the network access
and the access point(s). Make sure you select the best possible option for the Wi-Fi clients (explore all encryption and
authentication modes, especially WPA3/OWE). Try to set a weak password and guess it with tools such as aircrack-ng.
Given suitable hardware/software (in terms of access point), try to implement Wireless Enterprise Authentication by
using a RADIUS or Diameter server.
3. Install and configure a network filter (i.e. firewall system). Harden it and select a suitable network configuration for
a typical small office environment (tasks require access to the World Wide Web, email services, DNS resolution, time
synchronisation). Suggest a minimal set of rules that implement a basic security and allows for all necessary network
transmissions. Use proxy services as appropriate.
You can use the pfSense or OPNSense firewall system in order to simplify the setup.
4. Install and configure a network filter with an intrusion detection/prevention system (IDS/IPS). Use the pfSense or
OPNSense firewall system with the Suricata package. Add custom rules to detect/block network traffic containing
• a SSL/TLS certificate for the domains example.net, example.org, and example.com;
• the string Big Bang Theory for protocols HTTP and Telnet;
• ICMP Timestamp requests and responses.
5. Collect and document (wired and wireless) network traffic as seen in local networks (use a network you have access to
and where you have the permission to record packets). This explicitly excludes an active attack, the network traffic
should be passively visible to a network client.
• What information can be gained from the network traffic in terms of network structure, services, clients, and the
like?
• Derive a set of filters in order to minimise the information published. The filters are meant to work on a local
network segment (i.e. in infrastructure on layers 2, 3, 4, and 7).
 If you do not have access to a network segment, data will be provided.
6. Install and configure a VPN tunnel either between two fixed points or a client-server configuration for clients that need
access to a local network segment. Use more than one VPN protocol in order to compare the setup. You can use the
pfSense firewall system in order to simplify the setup.
Try to harden the VPN configuration by using „best practice“ configuration regarding the cryptography (will be / has
been discussed in the lecture).
Tools for testing the configuration:

• Kali Linux – contains a lot of security tools.

• BlackArch Linux – contains even more security tool!
• grml – contains everything you would need for system administration.

• SystemRescueCd – same as grml, only newer

You can test network traffic and applications with every client software, too. For the web you can use proxies for inspecting
content (such as the Burp Suite, contained on the Kali Linux system, or the OWASP Zed Attack Proxy Project) or web
browser plugins (web developer toolbar, etc.).