Silver

Reflection:

1. Discuss the configuration required on a firewall for a web server providing

1a. HTTP and HTTPS

Http request: It is a hypertext transfer protocol, which is sent in plaintext, without any encryption.

Https request: it is actually http+ssl (secure socket layer), SSL performs encryption and security processing of data

1b. FTP over TLS/SSL

Explicit FTP over TLS, explicit FTP over TLS.

Implicit FTP over TLS, implicit TLS based on TLS.

SFTP, SSH file transfer protocol, port is 22.

1c. SMTP for sending emails from the websites

In this document, we will show you how to use the SMTP service to send emails in VS2005.

By default, the SMTP server recently used port 587 because it is equipped with TLS encryption for secure communication, primarily for mail submission and relaying. Port 25 does not provide secure encryption, but it is still primarily used for mail relay to other web servers. No other services will run on this port. Since the SMTP service of this web server is only used to send e-mail, the outgoing port 25 should be opened.

1d. Remote Administration

Install the Remote Access role

Configure the deployment type as DirectAccess and VPN, DirectAccess only, or VPN only.

Configure the Remote Access server with the security groups that contain DirectAccess clients

Configure the Remote Access server settings.

2.Discuss the configuration required on a firewall for a database server providing

1a. MariaDB

Install MariaDB: 1. Switch to root privileges 2. Use yum installation 3. Installation is complete, start MariaDB 4. Set up to start MariaDB
Configuring MariaDB: Configuring the MariaDB character set
Configure user permissions: 1. Create user 2. Query user permission list

1b. MSSQL

1. Use a secure password policy
2. Use a secure account strategy
3. Strengthen the record of database logs
4. Manage extended stored procedures
5. Use protocol encryption
6. Don’t let people detect your TCP/IP port casually
7. Modify the port used by TCP/IP
8. Reject detection from port 1434
9. IP restrictions on network connections

1c. Remote Administration

1. HBase X-Pack is a low-cost one-stop data processing platform based on HBase and HBase ecosystem.
2. HBase X-Pack support: HBase API (including RestServerThriftServer), relational Phoenix SQL, time series OpenTSDB, full-text Solr, space-time GeoMesa, HGraph, and Spark on HBase, is the first distributed database supporting Alibaba Cloud, and The agreement is 100% compatible with open source protocols.
3. HBase X-Pack realizes the whole process closed loop of data processing, storage and analysis, allowing customers to realize one-stop data processing at the lowest cost.

Critical Thinking Analysis:

From this lab we can learn about the different configuration requirements on different servers.

We can discuss from the school’s point of view that the school firewall network can be implemented on campus to prevent information leakage. There are many complex firewall devices in many commercial areas to protect trade secrets.

Reflection:

NAT Firewall: The state-based SNAT function of the NAT gateway can provide security protection for internal servers. The correct use of NAT gateways can build a more secure cloud-based network.

OpenSSH: OpenSSH is a free, open source implementation of the SSH (Secure SHell) protocol. The SSH protocol family can be used for remote control or transferring files between computers

1.Discuss the use and function of the NAT Firewall

Use:The firewall is used to prevent hackers. It is the boundary between the internal network and the external network. It is used to protect internal servers and networks. It is an information security system.

Function:In the VPC network, there is an enterprise-level product called NAT gateway. There are two important functions in this NAT gateway: SNAT and DNAT. SNAT is actually a state-based security protection that can be used as a simple firewall.Function:

2.Discuss at least two uses of OpenSSH on either Windows or Linux

Use：

① Under linux：On your own Linux machine, follow the quick installation method above to install the openssh program. Of course, you can select the directory you want to install. There is no need to modify the ssh_config configuration file. All you have to do is copy the private key identity file generated by the server to $(HOME)/.ssh/. Set the permissions for this file to allow only access

② Under windows： SecureCRT is a remote login tool that supports the SSH protocol. It can be started by running the executable program SecureCRT.EXE.

Installation：Openssh server installation and configuration Linux

① Server-side installation: There are three main installation methods: 1. When installing the operating system, select the “Security Server” to be installed. 2. rpm package installation 3. Source code installation
② Configure the openssh server: After installing ssh, the next step is to verify (or modify, if necessary) the parameters in the ssh configuration file.
③ Public/private key generation: The client wants to connect to the host using SSH protocol. In addition to having a user, it also needs a pair of keys for this user, one is the public key and the other is the private key.
④ Start sshd: After setting the corresponding configuration parameters, start sshd as root.

Critical Thinking Analysis:

This lab teaches us how to install NAT firewall and OpenSSH

We can find that OpenSSH is installed and used differently in different operating environments. For example, it is different in Windows and Linux.

In addition, we understand the role and function of the firewall. The firewall can be well used to prevent viruses or hackers from invading. This can provide us with a good internet environment.

Reflection:

AD: Active Directory is a directory service for Windows Standard Server, Windows Enterprise Server, and Windows Datacenter ServerAD: Active Directory

CA: A Digital Certificate Authority (CA) is a trusted third-party entity that issues digital certificate authorities and manages public keys and certificates that encrypt end-user data. CA’s responsibility is to ensure that a company or user receives a valid identity certificate as the only certificate.

User certificate: A user certificate template is intended to be bound to a single user to provide identity and/or encryption services for that single entity.

1.What is the role or function of AD Certificate Services and CA Web Enrollment

AD Certificate Services:

① The Policy Module supports Network Device Enrollment Service: Using the Policy Module with the Network Device Enrollment Service provides enhanced security so that users and devices can request certificates from the Internet.

② TPM Key Proof: The TPM Key Proof allows the Certificate Authority (CA) to verify that the private key is protected by a hardware-based TPM.

③ Windows PowerShell for Certificate Services: New Windows PowerShell cmdlets are available for backup and restore.

CA Web Enrollment:

① Cryptographic Service Provider (CSP) options: the name of the cryptographic service provider, key size (1024, 2048, etc.), hash algorithm (such as SHA / RSA, SHA / DSA, MD2 or MD5) and key specification (exchange Or signature).

② Key generation options: Create a new key set or use an existing key set, mark the key as exportable, enable strong key protection, and use a local computer to store the generated key.

③ Other options: save the request to the PKCS#10 file or add specific attributes to the certificate

2.What is the role or function of Key Archival and Key Recovery Agent

Key Archival:

The function of the secret key archiving is that the CA server has a copy of all issued certificates, so the lost certificate of the user can be recovered, because the smart card is stolen, and the user workstation that saves the user certificate is accidentally reformatted, among other things.

Key Recovery Agent:

The function of the key recovery agent is to restore the lost key issued by the certificate authority to the users in the domain network.

3.Explain at least two uses of the User Certificate

① Administrator: This certificate template provides signing and encryption services for administrator accounts and account identification and trust list (CTL) management in the domain. Certificates based on administrator templates are stored in Active Directory.

② Code signing: These certificate templates allow developers to create certificates that can be used to sign application code. This provides inspection software for the origin so that the code management system and the end user can be confident that the source of the software is authentic.

③ EFS Recovery Agent: This type of certificate allows decrypting files encrypted with EFS so that they can be used again. The EFS Recovery Agent Certificate should be part of any disaster recovery plan when designing an EFS implementation.

Critical Thinking Analysis

This lab teaches us how to implement key archival and can manage keys for password recovery.

In addition, it teaches us how to distinguish between key archive and key recovery agents and how to create and register user certificates.