Secure Information System Simulation Lab

par :
Fadili Nasrallah
 I. Introduction

This lab uses VMware to build a mini enterprise network split into LAN and DMZ zones.
You’ll deploy three VMs, enforce a default-deny iptables policy, host a PHP login site over
both HTTP and HTTPS, and capture traffic with Wireshark. By simulating HTTP-based
credential theft and then switching to HTTPS, you’ll see firsthand how zone isolation, firewall
filtering, and TLS encryption combine to defend against common network attacks.

II. Objectives
• Deploy three VMs and assign them to LAN or DMZ.
• Implement a stateful firewall with iptables to enforce a least-privilege policy.
• Configure Apache + PHP to serve a login page on ports 80 and 443, and generate a
self-signed SSL certificate with OpenSSL.
• Use Wireshark to capture and inspect HTTP vs. HTTPS traffic.
• Compare exposed plaintext data (HTTP) with encrypted TLS payloads (HTTPS).
• Illustrate how strict firewall rules and HTTPS together harden system security.

III. Network Architecture and Virtual Setup:

• Machines and Network configuration:

The virtual environment consists of 3 machines, all connected to the same internal virtual
network:
Role OS IP Address
Zone Role
Hosts login site over HTTP and
Web Server Debian 192.168.211.131 LAN
HTTPS
Client Windows XP 192.168.211.129 LAN Sends login requests via browser
Captures traffic, simulates
Administrator Kali Linux 192.168.211.128 DMZ
Administrator
• Implementation:

➢ Debian Web Server in the DMZ:

1 Set static IP sudo nano /etc/network/interfaces we assign 192.168.211.131/24
Install web sudo apt update && sudo apt install apache2 php libapache2-mod-php openssl
3
stack
4 Enable SSL sudo a2enmod ssl && sudo a2ensite default-ssl
Self-signed sudo openssl req -x509 -nodes -days 365 \ -newkey rsa:2048 \ -keyout
5 /etc/ssl/self.key \ -out /etc/ssl/self.crt \ -subj "/CN=192.168.211.131"
cert
Nano /etc/apache2/sites-available/default-ssl.conf and we add
6 Point Apache
SSLCertificateFile and SSLCertificateKeyFile paths
7 Login page We make /var/www/html/index.php and /login.php with POST
Restart sudo systemctl restart apache2
8
Apache
9 Quick test From Debian we run ping localhost

Now we setup our Firewall, now we will:

• Only allow HTTPS (443) from LAN to DMZ.
• Allow SSH (22) from LAN to DMZ for maintenance.
1
 • Block HTTP (80) after the sniffing test (we will not block it now until we test http).
• Drop all other incoming or forwarded packets by default.

By running these commands:

iptables -P INPUT DROP

iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -s 192.168.211.0/24 -d 192.168.211.131 -p tcp --dport 22 -j ACCEPT
iptables -A FORWARD -s 192.168.211.0/24 -d 192.168.211.131 -p tcp --dport 443 -j ACCEPT

We will not block HTTP now until we test it:

iptables -A FORWARD -s 192.168.211.0/24 -d 192.168.211.131 -p tcp --dport 80 -j ACCEPT

➢ Windows XP Client on the LAN:

• We test the connectivity to the Server by pinging or visiting 192.168.211.13

➢ Kali Linux Administrator:

2
 • We install wireshark by running sudo apt update && sudo apt install -y wireshark
• We open wireshark by running wireshark &
• We start capturing on eth0.
• We Install Snort

• Testing:

Test 1 – HTTP Login (Port 80 open):

• We start capture with the filter http
• On the client (Windows XP), we access the login.php page and we attempt logging
in.

Interpretation: this proves HTTP is insecure as the attackers can reads credentials in plain
text.

Test 2 – HTTPS Login (Port 443):

• New Wireshark capture with the filter tcp.port==443
• The client submits same form over but over https://

3
• We only see TLS handshakes (Client Hello, Server Hello...), which means the client
and the server started an encrypted session

IV. Conclusion
This lab successfully demonstrated how a layered virtualization environment, combined
with well-crafted iptables rules and HTTPS encryption, can significantly enhance the
security posture of a small enterprise network. By segmenting the network into LAN and
DMZ zones and enforcing a default-deny firewall policy, we limited potential attack paths
to only SSH and HTTPS services. The HTTP login test clearly showed that credentials
and session data are exposed in plaintext, whereas the HTTPS test confirmed that all
application-level data is protected within a TLS tunnel.

4
Overall, the exercise highlighted three key takeaways:

1. Isolation: Virtual network segmentation prevents an attacker on the LAN from freely
accessing all services on the DMZ.
2. Access Control: Stateful firewall rules enforce strict service-level permissions,
reducing the attack surface.
3. Encryption: Transport-layer security is essential to protect sensitive data in transit;
without it, even a well-configured firewall cannot prevent credential theft.

In real-world deployments, these principles scale to larger networks by adding additional

zones (e.g., database, management), implementing centralized firewall management,
and using certificates signed by a trusted CA. This lab lays the groundwork for
understanding how isolation, filtering, and encryption work together to form a robust
defense-in-depth strategy.