IMPORTANT:

Make sure to complete this hands-on lab on a desktop/laptop only.

There are only 5 attempts permitted per lab.

As a reminder – it is common to not get every question correct on your first try, and even to need to redo a task; this is part of the learning process.

Once a lab is started, the timer cannot be paused. After 1 hour and 30 minutes, the lab will end and you’ll need to start again.

For more information review the Lab technical tips reading.

Activity overview

The assets within a cloud environment need to be protected from unauthorized access. To address this, security professionals use perimeter protection which refers to the security measures implemented to defend the edge of a network or system against unauthorized access and cyber threats. One type of perimeter protection includes using firewalls to manage and secure network traffic entering and leaving a cloud environment. Firewalls help protect trusted internal networks (like a company's private network) from untrusted external networks (such as the Internet). Firewalls examine both incoming and outgoing network traffic based on predefined rules to either allow or block specific data packets. This is crucial for helping maintain application security, traffic control, compliance, and policy enforcement.

In this lab, you‘ll access a firewall and create rules to test the security of a server and make modifications as necessary.

Scenario

Cymbal Bank has a demo web server that is provisioned on an existing Virtual Private Cloud (VPC) network. Your team lead, Chloe, is concerned about the security configurations of this web server and wants you to analyze the inbound network traffic to the web server and block connections to unnecessary ports using firewall rules. You have been tasked with analyzing the firewall rules for this web server and testing its connection. To complete this task, you will need to create several firewall rules, connect to the web server, and analyze the logs associated with the network connections.

Here’s how you'll do this task: First, you'll create a firewall rule to allow network traffic to the demo web server. Then, you’ll generate HTTP network traffic to the server and analyze its network logs. Next, you’ll create and test a new firewall rule to deny HTTP traffic to the server. Finally, you'll analyze the firewall logs to verify that the new firewall rule works as intended.

Note: In this lab, you are provided with a custom-mode network VPC, vpc-net, and subnet, vpc-subnet, configured with VPC Flow Logs in region. You are also provided with a VM instance, web-server, installed with an Apache web server within vpc-subnet with attached network tag http-server in zone.

Setup

Before you click Start Lab

Read these instructions. Labs are timed and you cannot pause them. The timer, which starts when you click Start Lab, shows how long Google Cloud resources will be made available to you.

This practical lab lets you do the activities yourself in a real cloud environment, not in a simulation or demo environment. It does so by giving you new, temporary credentials that you use to sign in and access Google Cloud for the duration of the lab.

To complete this lab, you need:

• Access to a standard internet browser (Chrome browser recommended).

Note: Use an Incognito or private browser window to run this lab. This prevents any conflicts between your personal account and the Student account, which may cause extra charges incurred to your personal account.

• Time to complete the lab---remember, once you start, you cannot pause a lab.

Note: If you already have your own personal Google Cloud account or project, do not use it for this lab to avoid extra charges to your account.

How to start your lab and sign in to the Google Cloud console

1. Click the Start Lab button. On the left is the Lab Details panel with the following:

   • Time remaining
   • The Open Google Cloud console button
   • The temporary credentials that you must use for this lab
   • Other information, if needed, to step through this lab
   Note: If you need to pay for the lab, a pop-up opens for you to select your payment method.

2. Click Open Google Cloud console (or right-click and select Open Link in Incognito Window) if you are running the Chrome browser. The Sign in page opens in a new browser tab.

   Tip: You can arrange the tabs in separate, side-by-side windows to easily switch between them.

   Note: If the Choose an account dialog displays, click Use Another Account.

3. If necessary, copy the Google Cloud username below and paste it into the Sign in dialog. Click Next.

{{{user_0.username | "Google Cloud username"}}}

You can also find the Google Cloud username in the Lab Details panel.

4. Copy the Google Cloud password below and paste it into the Welcome dialog. Click Next.

{{{user_0.password | "Google Cloud password"}}}

You can also find the Google Cloud password in the Lab Details panel.

Important: You must use the credentials the lab provides you. Do not use your Google Cloud account credentials. Note: Using your own Google Cloud account for this lab may incur extra charges.

5. Click through the subsequent pages:
   • Accept the terms and conditions
   • Do not add recovery options or two-factor authentication (because this is a temporary account)
   • Do not sign up for free trials

After a few moments, the Console opens in this tab.

Note: You can view the menu with a list of Google Cloud Products and Services by clicking the Navigation menu at the top-left.

Task 1. Create a firewall rule

In this task, you'll create a firewall rule that allows HTTP and SSH connectivity. You will also specify a target tag for the newly created firewall rule.

In Google Cloud, firewall rules must specify targets to define which VM instances they apply to. Target tags can be used to apply a firewall rule to a specific group of VMs, helping simplify the management of firewall rules. You'll use target tags to enable this firewall rule to the web server only.

1. In the Google Cloud console, click the Navigation menu ().
2. Select VPC Network > Firewall. The Firewall policies page displays.

Note: If a message is displayed stating that you don't have the required permissions to view the firewall policies inherited by this project, you can disregard it and continue with the next steps.

3. On the toolbar, click + Create Firewall Rule. The Create a firewall rule dialog displays.

4. Specify the following, and leave the remaining settings as their defaults:

Field	Value
Name	allow-http-ssh
Logs	On
Network	vpc-net
Targets	Specified target tags
Target tags	http-server
Source filter	IPv4 ranges
Source IPv4 ranges	0.0.0.0/0
In the Protocols and ports section	Select Specified protocols and ports Select the TCP checkbox In the Ports field enter 80, 22

5. Click Create.

Note: Wait until the Successfully created firewall rule "allow-http-ssh" message displays before continuing.

Click Check my progress to verify that you have completed this task correctly. Create a firewall rule

Task 2. Generate HTTP network traffic

In this task, you'll generate HTTP network traffic to the web server by visiting its external IP address. The network traffic you generate will then be recorded as logs that you can analyze in the Logs Explorer.

First, you need to generate network traffic.

1. In the Google Cloud console, click the Navigation menu ().

2. Select Compute Engine > VM instances. The VM instances page opens.

3. For web-server, click on the External IP link to access the server.

(Alternatively, you can add the External IP value to http://EXTERNAL_IP/ in a new browser window or tab.) A default web page should display.

Next, you need to find the IP address of the computer you’re using.

4. Access your IP address using the following link whatismyip.com. It will directly reply with your IP.

Note: Ensure that the IP address only contains numerals (IPv4) and is not represented in hexadecimal (IPv6).

5. Copy the IP address and save it in a notepad. You’ll need to use this in the next task.

Click Check my progress to verify that you have completed this task correctly. Generate HTTP network traffic

Task 3. Analyze the web server Flow Logs

In this task, you'll access and analyze the VPC Flow Logs for the web server using the Logs Explorer.

1. In the Google Cloud console, click the Navigation menu ().

2. Select Logging > Logs Explorer. The Logs Explorer page opens. (You may need to expand the More Products drop-down menu within the Navigation menu and locate Logging under Operations.)

3. On the left side of the Logs Explorer page, the Log fields pane is presented. The Resource type and Severity sections are available. Under the Resource type section, select Subnetwork.

Entries from the subnetwork logs will display on the Query results pane to the right of the Log fields pane.

4. On the Log fields pane, in the Log name section, select compute.googleapis.com/vpc_flows to access the VPC Flow logs for the network. If this option doesn’t display, wait a few minutes for this log type to show up.

Once selected, entries from the VPC Flow Logs display on the Query results pane.

5. In the Query builder at the top of the page, at the end of line 2, press ENTER to create a new line.

6. On line 3, enter the following:

jsonPayload.connection.src_ip=YOUR_IP

Your query should resemble the following:

resource.type="gce_subnetwork" log_name="projects/{{{project_0.project_id | PROJECT_ID}}}/logs/compute.googleapis.com%2Fvpc_flows" jsonPayload.connection.src_ip=YOUR_IP

7. Replace YOUR_IP with the IP address you saved from Task 2. This query will search for network traffic logs originating from your IP address that you had generated in the previous task.

8. Click Run query. The query results should display on the Query results pane.

Note: If the vpc_flows filter option doesn’t display or if there are no logs, you might have to wait a few minutes and refresh. If after a couple of minutes, the vpc_flows filter option still doesn’t display, navigate to the Compute Engine page and click on the External IP of the web server a few times to generate more traffic and check back on the vpc_flows filter option.

9. In the Query results pane, expand one of the log entries.

10. Within the entry, expand jsonPayload by clicking the expand arrow >. Then, expand the connection field.

Here you can examine the details about the network connection to the web server:

• dest_ip - This is the destination IP address of the web server.
• dest_port - This is the destination port number of the web server which is HTTP port 80.
• protocol - The protocol is 6 which is the IANA protocol for TCP traffic.
• src_ip - This is the source IP address of your computer.
• src_port - This is the source port number that's assigned to your computer. According to Internet Assigned Numbers Authority (IANA) standards, this is typically a random port number between 49152-65535.

After analyzing the details of this log entry, you should notice that the network traffic you generated (on HTTP port 80) was allowed due to the firewall rule allow-http-ssh you created previously. This rule allowed incoming traffic on ports 80 and 22.

Task 4. Create a firewall rule to deny HTTP traffic

In this task, you'll create a new firewall rule that denies traffic from port 80.

1. In the Google Cloud console, click the Navigation menu ().

2. Select VPC network > Firewall. The Firewall policies page displays.

3. On the toolbar, click + Create Firewall Rule.

4. In the Create a firewall rule dialog, specify the following, and leave the remaining settings as their defaults:

Field	Value
Name	deny-http
Logs	On
Network	vpc-net
Action on match	Deny
Targets	Specified target tags
Target tags	http-server
Source filter	IPv4 ranges
Source IPv4 ranges	0.0.0.0/0
In the Protocols and ports section	Select Specified protocols and ports Select the TCP checkbox In the Ports field enter 80

5. Click Create.

Click Check my progress to verify that you have completed this task correctly. Create a firewall to deny HTTP traffic

Task 5. Analyze the firewall logs

In this task, you'll test the deny-http firewall rule that you created in the previous task.

First, attempt to connect to the web server.

1. Click the Navigation menu ().
2. Select Compute Engine > VM instances. The VM instances page opens.
3. For web-server, click on the External IP link to access the server.

The following error message should display on the page:

This error occurred because of the deny-http firewall rule you created in the previous task. To verify this, access the Logs Explorer to analyze the firewall logs for the web server.

4. In the Google Cloud console, click the Navigation menu ().

5. Select Logging > Logs Explorer. The Logs Explorer page opens. (You may need to expand the More Products drop-down menu within the Navigation menu and locate Logging under Operations.)

6. Under the Resource type section, select Subnetwork.

7. On the Log fields pane, in the Log name section, select compute.googleapis.com/firewall to access the firewall logs for the network.

8. In the Query builder at the top of the page, at the end of line 2, press ENTER to create a new line.

9. On line 3, enter the following:

jsonPayload.connection.src_ip=YOUR_IP DENIED

Replace YOUR_IP with the IP address you saved from Task 2. This query will search for firewall logs that denied your IP address connection to the web server. Your query should resemble the following:

resource.type="gce_subnetwork" log_name="projects/{{{project_0.project_id | PROJECT_ID}}}/logs/compute.googleapis.com%2Ffirewall" jsonPayload.connection.src_ip=YOUR_IP DENIED

10. Click Run query. The query results should display on the Query results pane.

11. In the Query results pane, expand one of the log entries.

12. Within the log entry, expand the jsonPayload field by clicking the expand arrow >. Then, expand the connection field. You can examine the details about the network connection to the web server to verify if the firewall rule was successfully triggered:

• dest_ip - This is the destination IP address of the web server which is 10.1.3.2.
• dest_port - This is the destination port number of the web server which is HTTP port 80.
• protocol - The protocol is 6 which is the IANA protocol for TCP traffic.
• src_ip - This is the source IP address of your computer.
• src_port - This is the source port number that's assigned to your computer.
• disposition - This field indicates whether the connection was allowed or denied. Here, it's denied which indicates that the connection to the server was denied.

13. Within the log entry, expand the rule_details field by clicking the expand arrow >. You can examine the details about the firewall rule. Additionally, you can extract more information from the following fields in the log entry by expanding them:

• action - The action taken by the rule, DENY in this case.
• direction - The rule's traffic direction can be either ingress or egress, here it is INGRESS which means the action will apply to incoming traffic.
• ip_port_info - The protocol and ports this rule controls. The ip_protocol and port_range lists TCP port 80.
• source_range - The traffic sources that the firewall rule is applied to. Here it is 0.0.0.0/0.
• target_tag - This lists all the target tags that the firewall rule applies to. Here, it is http-server, the target tag you added to the firewall rule in the previous task.

By examining the details of this firewall log entry, you should notice that the firewall rule deny-http you set up to deny HTTP traffic was successfully triggered. This rule denied incoming network traffic on port 80.

Click Check my progress to verify that you have completed this task correctly. Analyze the firewall logs

Conclusion

Great work!

You now have practical experience in creating and testing firewall rules for a web server in a cloud environment. By creating firewall rules and analyzing log entries, you have a familiarity with the intricacies of perimeter protection. This is useful for monitoring and analyzing potential security incidents or threats, which is an essential part of a security analyst's role.

You’re well on your way to understanding how to modify firewall rules to ensure maximum network security.

End your lab

Before you end the lab, make sure you’re satisfied that you’ve completed all the tasks. When you're ready, click End Lab and then click Submit.

Ending the lab will remove your access to the lab environment, and you won’t be able to access the work you've completed in it again.

Copyright 2024 Google LLC All rights reserved. Google and the Google logo are trademarks of Google LLC. All other company and product names may be trademarks of the respective companies with which they are associated.