This section shows the sample usage of the system developed in order to evaluate the abstraction proposed during this research. It is expected that both the high level policy intention of a proposed experiment has been generated and the network layout as well. The following is the command that is used to run system: python nepas.py <highlevelpolicy>.graphml <networklayout>.graphml <outputfile>.virl
Appendix B
Result of Experiments
This section shows the complete low level Cisco configuration commands of the various network devices in the experiments described in the BGP, firewall and cyber security competition chapters of this research.
B.1
Firewall Chapter Experiment
Listing B.1: Firewall fw2 Configuration for Proposed University
! ASAv Config generated by NePAS !
hostname fw2
username cisco password cisco privilege 15 enable password cisco
passwd cisco names ! interface GigabitEthernet0/1 description to uniR duplex full nameif nepas-outside security-level 0 no shutdown ip address 20.0.2.5 255.255.255.0 interface GigabitEthernet0/2 description to wifi2 duplex full nameif nepas-outside-1 security-level 0 no shutdown ip address 20.0.4.6 255.255.255.0 interface Management0/0
description OOB Management duplex full management-only nameif mgmt security-level 100 no shutdown 184
! Configured on launch no ip address
access-list nepas-out extended permit tcp host 20.0.1.3 host 20.0.0.2 eq 65432
access-list nepas-in extended permit tcp host 2.3.4.5 eq 56431 host 20.0.1.3 eq 62300
access-list nepas-in extended permit ip host 1.2.3.4 host 20.0.1.3 access-list nepas-in extended permit tcp host 20.0.0.2 eq 54321 host
20.0.1.3 eq 54321
access-list nepas-out extended deny ip host 20.0.1.3 host 20.0.0.2 access-list nepas-out extended permit tcp host 20.0.1.3 any eq 40728 access-list nepas-out extended permit tcp host 20.0.1.3 any eq 3689 access-list nepas-out extended permit tcp any host 20.0.0.2 eq ssh access-list nepas-out extended deny tcp any host www.facebook.com eq
80
access-list nepas-out extended deny tcp any host www.gorillavid.in eq 80
access-list nepas-out extended deny tcp any host www.facebook.com eq 8080
access-list nepas-out extended deny tcp any host www.gorillavid.in eq 8080
access-list nepas-any extended permit icmp any any access-group nepas-out out interface nepas-outside access-group nepas-in in interface nepas-outside-1 access-group nepas-any global
!
same-security-traffic permit inter-interface logging enable
logging asdm informational
user-identity default-domain LOCAL aaa authentication ssh console LOCAL http server enable http 0.0.0.0 0.0.0.0 mgmt ssh 0.0.0.0 0.0.0.0 mgmt telnet 0.0.0.0 0.0.0.0 mgmt http 0.0.0.0 0.0.0.0 nepas-outside ssh 0.0.0.0 0.0.0.0 nepas-outside telnet 0.0.0.0 0.0.0.0 nepas-outside http 0.0.0.0 0.0.0.0 nepas-outside-1 ssh 0.0.0.0 0.0.0.0 nepas-outside-1 telnet 0.0.0.0 0.0.0.0 nepas-outside-1 ssh version 2
crypto key generate rsa modulus 768 telnet timeout 15
console timeout 0
username cisco password cisco privilege 15 !
class-map inspection_default match default-inspection-traffic !
!
policy-map type inspect dns preset_dns_map parameters
message-length maximum client auto message-length maximum 512
policy-map global_policy class inspection_default
APPENDIX B. RESULT OF EXPERIMENTS 186 inspect netbios inspect rtsp inspect sunrpc inspect tftp inspect xdmcp inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect esmtp inspect sqlnet inspect sip inspect skinny inspect icmp inspect http !
service-policy global_policy global no call-home reporting anonymous call-home
profile CiscoTAC-1 no active
end
Listing B.2: Firewall fw3 Configuration for Proposed University
! ASAv Config generated by NePAS !
hostname fw3
username cisco password cisco privilege 15 enable password cisco
passwd cisco names ! interface GigabitEthernet0/1 description to uniR duplex full nameif nepas-outside security-level 0 no shutdown ip address 20.0.3.6 255.255.255.0 interface GigabitEthernet0/2 description to wifi1 duplex full nameif nepas-outside-1 security-level 0 no shutdown ip address 20.0.5.8 255.255.255.0 interface Management0/0
description OOB Management duplex full management-only nameif mgmt security-level 100 no shutdown ! Configured on launch no ip address
access-list nepas-in extended permit tcp host 20.0.1.3 host 20.0.0.2 eq 65432
access-list nepas-out extended permit tcp host 20.0.0.2 eq 54321 host 20.0.1.3 eq 54321
access-list nepas-out extended permit tcp host 20.0.0.2 host www. facebook.com eq 80
access-list nepas-out extended permit tcp host 20.0.0.2 host www. facebook.com eq 8080
access-list nepas-out extended permit tcp host 20.0.0.2 host www. gorillavid.in eq 80
access-list nepas-out extended permit tcp host 20.0.0.2 host www. gorillavid.in eq 8080
access-list nepas-out extended deny ip host 20.0.0.2 host 4.5.6.7 access-list nepas-out extended deny tcp host 20.0.0.2 host 20.0.1.3
eq sftp
access-list nepas-out extended deny udp host 20.0.0.2 host 20.0.1.3 eq sftp
access-list nepas-in extended permit tcp host 20.0.1.3 any eq 40728 access-list nepas-in extended permit tcp host 20.0.1.3 any eq 3689 access-list nepas-out extended deny tcp host 20.0.0.2 any eq ftp access-list nepas-out extended deny tcp host 20.0.0.2 any eq telnet access-list nepas-in extended permit tcp any host 20.0.0.2 eq ssh access-list nepas-out extended deny tcp any host www.facebook.com eq
80
access-list nepas-out extended deny tcp any host www.gorillavid.in eq 80
access-list nepas-out extended deny tcp any host www.facebook.com eq 8080
access-list nepas-out extended deny tcp any host www.gorillavid.in eq 8080
access-list nepas-any extended permit icmp any any access-group nepas-out out interface nepas-outside access-group nepas-in in interface nepas-outside-1 access-group nepas-any global
!
same-security-traffic permit inter-interface logging enable
logging asdm informational
user-identity default-domain LOCAL aaa authentication ssh console LOCAL http server enable http 0.0.0.0 0.0.0.0 mgmt ssh 0.0.0.0 0.0.0.0 mgmt telnet 0.0.0.0 0.0.0.0 mgmt http 0.0.0.0 0.0.0.0 nepas-outside ssh 0.0.0.0 0.0.0.0 nepas-outside telnet 0.0.0.0 0.0.0.0 nepas-outside http 0.0.0.0 0.0.0.0 nepas-outside-1 ssh 0.0.0.0 0.0.0.0 nepas-outside-1 telnet 0.0.0.0 0.0.0.0 nepas-outside-1 ssh version 2
crypto key generate rsa modulus 768 telnet timeout 15
console timeout 0
username cisco password cisco privilege 15 !
class-map inspection_default match default-inspection-traffic
APPENDIX B. RESULT OF EXPERIMENTS 188
! !
policy-map type inspect dns preset_dns_map parameters
message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect ip-options inspect netbios inspect rtsp inspect sunrpc inspect tftp inspect xdmcp inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect esmtp inspect sqlnet inspect sip inspect skinny inspect icmp inspect http !
service-policy global_policy global no call-home reporting anonymous call-home
profile CiscoTAC-1 no active
end