Part B: Secure LAW using ZPF Implement ZPF on the LAW router On the LAW router , configure ZPF using the following parameters : Zones: Create an inside zone named and an outside zone named ACL 100: Create an ACL 192.168.0.0 /24 going to anywhere Class map : Identify the traffic to inspect using the class map name matching ACL 100 Policy Map : Create a policy map named to inspect the configured class map Zone pair : Create a zone pair named .Specify the source and destination zones that were created and the previously created policy map Verify the ZPF configuration From PC3 : ping PC2 . The pings should be successful From PC2 : ping PC3 . The pings should not be successful Part C: Secure LAN Traffic Between R2 and BR1 Configure VPN settings on R2 and BRI On R2 and BRI , configure reciprocating extended named ACLs called consisting of one ACE making the R.2 LAN traffic (i.e., 10.1.0.0 /16 ) and BRI LAN (i.e., 172.16.1.0 /24 ) traffic interesting IKE Phase 1 ISAKMP policy parameters Policy number Encryption Authentication : Pre -share Diffie -Hellman group : Crypto key: IKE Phase 2 IPsec policy parameters Transform -set name Encryption Authentication Crypto Map parameters : Crypto Map name : Use sequence number and identify it as an ipsec-isakmp map . Verify VPN operation

See below;

Step-by-step explanation

You must register two SPNs for the user running the service: one with the hostname and one with the fully 
qualified domain name.
If you are running the service under a network user service account, you must register the two SPNs for each 
computer running this service.
This is the Milestone SPN naming scheme:
VideoOS/[DNS Host Name]:[Port]
VideoOS/[Fully qualified domain name]:[Port]
The following is an example of SPNs for the recording server service running on a computer with the following 
details:
Hostname: Record-Server1
Domain: Surveillance.com
SPNs to register:
VideoOS/Record-Server1:7609
VideoOS/Record-Server1.Surveillance.com:7609

Encrypt your recordings
Milestone recommends that you secure your recordings by enabling at least Light encryption on your 
recording servers' storage and archives. Milestone uses the AES-256 algorithm for encryption. When 
you select Light encryption, only a part of the recording is encrypted. When you select Strong 
encryption, the entire recording is encrypted.
• Secure the network
Milestone recommends that you select cameras that support HTTPS. It is recommended that you set 
the cameras on separate VLANs and use HTTPS for your camera to recording server communication.
It is recommended that XProtect Smart Clients and XProtect Smart Walls are on the same VLAN as the 
servers.
Use a VPN encrypted network or similar if using Smart Client or Smart Wall from a remote location.
• Enable and document the intended retention time
According to Article 4(1)(e) of the GDPR, recordings must not be retained longer than necessary for the 
specific purposes for which they were made. Milestone recommends that you set the retention time 
according to regional laws and requirements, and in any case, to set the retention time to a maximum 
of 30 days.
• Secure exports
Milestone recommends that you only allow access to export functionality for a select set of users that 
need this permission.
Milestone also recommends that the Smart Client profile is changed to only allow export in XProtect 
Format with encryption enabled. AVI and JPEG exports should not be allowed, because they can not be 
made secure. This makes export of any evidence material password protected, encrypted and digitally 
signed, making sure forensic material is genuine, untampered with and viewed by the authorized 
receiver only.
• Enable privacy masking - permanent or liftable
Use privacy masking to help eliminate surveillance of areas irrelevant to your surveillance target.
Milestone recommends that you set a liftable blurring mask for sensitive areas and in places where 
person identification is not allowed. Create then a second role that can authorize the mask to be lifted.
• Restrict access rights with roles
Apply the principle of least privilege (PoLP).
Milestone recommends that you only allow access to functionality for a select set of users that need 
this permission. By default, only the system administrator can access the system and perform tasks. All 
new roles and users that are created have no access to any functions until they are deliberately 
configured by an administrator.
Set up permissions for all functionality, including: viewing live video and recordings, listening to audio, 
accessing metadata, controlling PTZ cameras, accessing and configuring Smart Wall, lifting privacy 
masks, working with exports, saving snapshots, and so on.
Grant access to only the cameras that the specific operator needs to access, and restrict access to 
recorded video, audio, and metadata for operators, either completely, or grant access to only the video, 
audio, or metadata recorded in the past few hours or less.
Regularly assess and review roles and responsibilities for operators, investigators, system 
administrators and others with access to the system. Does the principle of least privilege still apply?

: Password Authentication Delay: C#

private void AuthenticateRequest(object obj, EventArgs ea)
{
   HttpApplication objApp = (HttpApplication) obj;
   HttpContext objContext = (HttpContext) objApp.Context;  
   // If user identity is not blank, pause for a random amount of time
   if ( objApp.User.Identity.Name != "")
     {
       Random rand = new Random();        
       Thread.Sleep(rand.Next(minSeconds, maxSeconds) * 1000);
     

Password Authentication Delay: VB.NET

Public Sub AuthenticateRequest(ByVal obj As Object, ByVal ea As System.EventArgs)
 Dim objApp As HttpApplication
 Dim objContext As HttpContext
 Dim ran As Random
 objApp = obj
 objContext = objApp.Context

 ' If user identity is not blank, pause for a random amount of time
 If objApp.User.Identity.Name <> "" Then
   ran = New Random
   Thread.Sleep(ran.Next(ran.Next(minSeconds, maxSeconds) * 1000))
 End If
End Sub