En Security Chp9 PTActA Secure-Network Student

PT Activity: Configure a Network for Secure Operation Topology Diagram

Addressing Table Device R1

Interface

IP Address

Subnet Mask

Default Gateway

Switch Port

FA0/1

19!1"#!1!1

$$!$$!$$!0

N/A

S1 FA0/$

S0/0/0 %&C'(

10!1!1!1

$$!$$!$$!$

N/A

N/A

S0/0/0

10!1!1!

$$!$$!$$!$

N/A

N/A

S0/0/1 %&C'(

10!!!

$$!$$!$$!$

N/A

N/A

FA0/1

19!1"#!)!1

$$!$$!$$!0

N/A

S) FA0/$

S0/0/1

10!!!1

$$!$$!$$!$

N/A

N/A

PC*A

N+C

19!1"#!1!$

$$!$$!$$!0

19!1"#!1!1

S1 FA0/"

PC*,

N+C

19!1"#!1!"

$$!$$!$$!0

19!1"#!1!1

S FA FA0/1#

PC*C

N+C

19!1"#!)!$

$$!$$!$$!0

19!1"#!)!1

S) FA0/"

R R)

A-- content. are Copyrigt  19901 19901 Ci.co Sy.te2.3 +nc! A-- rigt. rigt. re.erve4! Ti. 4ocu2ent i. Ci.co Ci.co Pu5-ic +nfor2ation!

Page 1 of 6

CCNA Security

earning !b"ectives •

Secure te router. wit .trong pa..wor4.3 pa..wor4 encryption an4 a -ogin 5anner!

•

Secure te con.o-e an4 7T8 -ine. wit pa..wor4.!

•

Configure -oca- AAA autentication!

•

Configure SS .erver!

•

Configure router for .y.-og!

•

Configure router for NTP!

•

Secure te router again.t -ogin attack.!

•

Configure C,AC an4 PF firewa--.!

•

Secure network .witce.!

Introduction +n ti. co2preen.ive practice activity3 you wi-- app-y a co25ination of .ecurity 2ea.ure. tat were intro4uce4 in te cour.e! Te.e 2ea.ure. are -i.te4 in te o5;ective.! +n te topo-ogy3 R1 i. te e4ge outer for te Co2pany A wi-e R) i. te e4ge router for Co2pany ,! Te.e network. are interconnecte4 via te R router wic repre.ent. te +SP! 8ou wi-- configure variou. .ecurity feature. on te router. an4 .witce. for Co2pany A an4 Co2pany ,! Not a-- .ecurity feature. wi-- 5e configure4 on R1 an4 R)! Te fo--owing preconfiguration. ave 5een 2a4e:

Task #$

•

o.tna2e. on a-- 4evice.

•

+P a44re..e. on a-- 4evice.

•

R con.o-e pa..wor4: ci.coconpa$$

•

R pa..wor4 on 7T8 -ine.: ci.covtypa$$

•

R ena5-e pa..wor4: ci.coenpa$$

•

Static routing

•

Sy.-og .ervice. on PC*,

•

&NS -ookup a. 5een 4i.a5-e4

•

+P 4efau-t gateway. for a-- .witce.

Test %onnectivity and &erify %onfigurations

Step 1. Verify IP addresses. Step 2. Verify routing tables. Step 3. Test connectivity. Fro2 PC*A3 ping PC*C at +P a44re.. 19!1"#!)!$!

Task '$

Secure the (outers

Step 4. Set minimum a password lengt of 1! caracters on router "1 and "3. Step #. $onfigure an enable secret password on router "1 and "3. <.e an ena5-e .ecret pa..wor4 of ciscoenpa))!

A-- content. are Copyrigt  19901 Ci.co Sy.te2.3 +nc! A-- rigt. re.erve4! Ti. 4ocu2ent i. Ci.co Pu5-ic +nfor2ation!

Page  of 6

CCNA Security

Step %. &ncrypt plainte't passwords. Step (. $onfigure te console lines on "1 and "3. Configure a con.o-e pa..wor4 of ciscoconpa)) an4 ena5-e -ogin! Set te exec-timeout to -og out after ) 2inute. of inactivity! Prevent con.o-e 2e..age. fro2 interrupting co22an4 entry!

Step ). $onfigure vty lines on "1. Configure a vty -ine pa..wor4 of ciscovtypa)) an4 ena5-e -ogin! Set te exec-timeout to -og out after ) 2inute. of inactivity! Set te -ogin autentication to u.e te 4efau-t AAA -i.t to 5e 4efine4 -ater! *ote$ Te vty -ine. on R) wi-- 5e configure4 for SS in a -ater ta.k!

Step *. $onfigure login banner on "1 and "3. Configure a warning to unautori=e4 u.er. wit a 2e..age*of*te*4ay %>OT&( 5anner tat .ay.: ?No
Task +$

%onfigure ocal Authentication on (# and (+

Step 1!.

$onfigure te local user database.

Create a -oca- u.er account of Admin,# wit a .ecret pa..wor4 of Admin,#pa))!

Step 11.

&nable +++ services.

Step 12.

Implement +++ services using te local database.

Create te 4efau-t -ogin autentication 2eto4 -i.t u.ing -oca- autentication wit no 5ackup 2eto4!

Task -$

%onfigure *TP

Step 13.

&nable ,TP autentication on P$-+.

On PC*A3 coo.e te %onfig ta53 an4 ten te *TP 5utton! Se-ect !n for NTP .ervice! .nable autentication an4 enter a @ey of # an4 a pa..wor4 of ciscontppa))!

Step 14.

$onfigure "1 as an ,TP $lient.

Configure NTP autentication @ey # wit a pa..wor4 of ciscontppa))! Configure R1 to .yncroni=e wit te NTP .erver an4 autenticate u.ing @ey #!

Step 1#.

$onfigure routers to update ardware cloc.

Configure router. to perio4ica--y up4ate te ar4ware c-ock wit te ti2e -earne4 fro2 NTP!

Task )$

%onfigure (# as Syslog %lient

Step 1%.

$onfigure "1 to timestamp log messages.

Configure ti2e.ta2p .ervice for -ogging on te router.!

Step 1(.

$onfigure "1 to log messages to te syslog server.

Configure te router. to i4entify te re2ote o.t %.y.-og .erver( tat wi-- receive -ogging 2e..age. ! 8ou .ou-4 .ee a con.o-e 2e..age .i2i-ar to te fo--owing: SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 192.168.1.6 port 1! st"rt#$ - %LI initi"t#$


Page ) of 6

CCNA Security

Step 1).

$ec for syslog messages on P$-/.

On R13 eit config 2o4e to generate a .y.-og 2e..age! Open te .y.-og .erver on PC*, to view te 2e..age .ent fro2 R1! 8ou .ou-4 .ee a 2e..age .i2i-ar to te fo--owing on te .y.-og .erver: &SYS--%ON'IG_I: %on(ig)r#$ (ro* +onso,#  +onso,#

Task /$

Secure (outer Against ogin Attacks

Step 1*.

0og unsuccessful login attempts to "1.

Step 2!.

Telnet to "1 from P$-+.

Te-net fro2 PC*A to R1 an4 provi4e te u.erna2e Admin,# an4 pa..wor4 Admin,#pa))! Te Te-net .ou-4 5e .ucce..fu-!

Step 21.

Telnet to "1 from P$-+ and cec syslog messages on te syslog server.

'it fro2 te current Te-net .e..ion an4 Te-net again to R1 u.ing te u.erna2e of baduser an4 any pa..wor4! Ceck te .y.-og .erver on PC*,! 8ou .ou-4 .ee an error 2e..age .i2i-ar to te fo--owing tat i. generate4 5y te fai-e4 -ogin atte2pt! S/%_LOGIN-!-LOGIN_'AIL/0:Login ("i,#$ )s#r:"$)s#r So)r+#:192.168.1. ,o+",port:23 R#"son:In4",i$ ,ogin "t 1:51:23 T% 7#$ )n# 1 2559

Task 0$

%onfigure SS1 on (+

Step 22.

$onfigure a domain name.

Configure a 4o2ain na2e of ccnasecurity2com on R)!

Step 23.

$onfigure te incoming vty lines on "3.

<.e te -oca- u.er account. for 2an4atory -ogin an4 va-i4ation an4 accept on-y SS connection.!

Step 24.

$onfigure "S+ encryption ey pair for "3.

Any ei.ting RSA key pair. .ou-4 5e era.e4 on te router! +f tere are no key. current-y configure4 a 2e..age wi-- 5e 4i.p-aye4 in4icating ti.! Configure te RSA key. wit a 2o4u-u. of 10B!

Step 2#.

$onfigure SS timeouts and autentication parameters.

Set te SS ti2eout to 3, .econ4.3 te nu25er of autentication retrie. to '3 an4 te ver.ion to '!

Task 4$

%onfigure %5A% on (#

Step 2%.

$onfigure a named IP +$0.

Create an +P AC na2e4 !6T7I* to 5-ock a-- traffic originating fro2 te out.i4e network! App-y te acce.. -i.t to inco2ing traffic on interface Seria- 0/0/0!

Step 2(.

Step 3. $onfirm tat traffic entering interface Serial !!! is dropped.

Fro2 te PC*A co22an4 pro2pt3 ping PC*C! Te +C>P eco rep-ie. are 5-ocke4 5y te AC!

Step 2).

$reate an inspection rule to inspect I$P Telnet and TTP traffic.

Create an in.pection ru-e na2e4 I*7!6T7I* to in.pect I%MP3 Telnet an4 1TTP traffic!


Page B of 6

CCNA Security

Step 2*.

+pply te inspect rule to te outside interface.

App-y te +N*O
Step 3!.

Test operation of te inspection rule.

Fro2 te PC*A co22an4 pro2pt3 ping PC*C! Te +C>P eco rep-ie. .ou-4 5e in.pecte4 an4 a--owe4 troug!

Task 3$

%onfigure 8P9 on (+

Step 31.

Test connectivity.

7erify tat te interna- o.t can acce.. eterna- re.ource.! •

Fro2 PC*C3 te.t connectivity wit ping an4 Te-net to RD a-- .ou-4 5e .ucce..fu-!

•

Fro2 R ping to PC*C! Te ping. .ou-4 5e a--owe4!

Step 32.

$reate te firewall 5ones.

Create an interna- =one na2e4 I*78!*.! Create an eterna- =one na2e4 !6T78!*.!

Step 33.

$reate an +$0 tat defines internal traffic.

Create an eten4e43 nu25ere4 AC tat per2it. a-- +P protoco-. fro2 te 19!1"#!)!0/B .ource network to any 4e.tination! <.e #,# for te AC nu25er!

Step 34.

$reate a class map referencing te internal traffic +$0.

Create a c-a.. 2ap na2e4 I*7*.T7%ASS7MAP to 2atc AC 101!

Step 3#.

Specify firewall policies.

Create a po-icy 2ap na2e4 I*7'7!6T7PMAP to 4eter2ine wat to 4o wit 2atce4 traffic! Specify a c-a.. type of inspect an4 reference c-a.. 2ap I*7*.T7%ASS7MAP ! Specify te action of inspect for ti. po-icy 2ap! 8ou .ou-4 .ee te fo--owing con.o-e 2e..age: &No sp#+i(i+ proto+o, +on(ig)r#$ in +,"ss IN-N/T-%LASS-AP (or insp#+tion. A,, proto+o,s ;i,, # insp#+t#$.

'it to te g-o5a- config pro2pt!

Step 3%.

+pply firewall policies.

Create a =one pair na2e4 I*7'7!6T78PAI( ! Specify te .ource an4 4e.tination =one. tat were create4 ear-ier! Attac a po-icy 2ap an4 action. to te =one pair referencing te po-icy 2ap previou.-y create43 I*7'7!6T7 PMAP! 'it to te g-o5a- config pro2pt an4 a..ign te interna- an4 eterna- interface. to te .ecurity =one.!

Step 3(.

Test firewall functionality.

7erify tat te interna- o.t can .ti-- acce.. eterna- re.ource.! •

Fro2 PC*C3 te.t connectivity wit ping an4 Te-net to RD a-- .ou-4 5e .ucce..fu-!

•

Fro2 R ping to PC*C! Te ping. .ou-4 now 5e 5-ocke4!


Page $ of 6

CCNA Security

Task #,$ Secure the Switches Step 3).

$onfigure an enable secret password on all switces.

<.e an ena5-e .ecret pa..wor4 of ciscoenpa))!

Step 3*.

&ncrypt plainte't passwords.

Step 4!.

$onfigure te console lines on all switces.

Configure a con.o-e pa..wor4 of ciscoconpa)) an4 ena5-e -ogin! Set te exec-timeout to -og out after ) 2inute. of inactivity! Prevent con.o-e 2e..age. fro2 interrupting co22an4 entry!

Step 41.

$onfigure vty lines on all switces.

Configure a vty -ine pa..wor4 of ciscovtypa)) an4 ena5-e -ogin! Set te exec-timeout to -og out after ) 2inute. of inactivity! Set te 5a.ic -ogin para2eter!

Step 42.

Secure trun ports on S1 and S2.

Configure port Fa0/1 on S1 a. a trunk port! Configure port Fa0/1 on S a. a trunk port! 7erify tat S1 port Fa0/1 i. in trunking 2o4e! Set te native 7AN on S1 an4 S trunk port. to an unu.e4 7AN 99! Set te trunk port. on S1 an4 S .o tat tey 4o not negotiate 5y turning off te generation of &TP fra2e.! 'na5-e .tor2 contro- for 5roa4ca.t. on te S1 an4 S trunk port. wit a $0 percent ri.ing .uppre..ion -eve-!

Step 43.

Secure access ports.

&i.a5-e trunking on S13 S an4 S) acce.. port.! 'na5-e PortFa.t on S13 S3 an4 S) acce.. port.! 'na5-e ,P&< guar4 on te .witc port. p reviou.-y configure4 a. acce.. on-y! 'na5-e 5a.ic 4efau-t port .ecurity on a-- en4*u.er acce.. port. tat are in u.e! <.e te .ticky option! Re*ena5-e eac acce.. port to wic port .ecurity wa. app-ie4! &i.a5-e any port. not 5eing u.e4 on eac .witc!

Task ##$ &erification Step 44.

Test SS configuration.

Atte2pt to connect to R) via Te-net fro2 PC*C! Fro2 PC*C3 enter te co22an4 to connect to R) via Te-net at +P a44re.. 19!1"#!)!1! Ti. connection .ou-4 fai-3 .ince R) a. 5een configure4 to accept on-y SS connection. on te virtuater2ina- -ine.! Fro2 PC*C3 enter te ssh :l Admin,# #3'2#/42+2# co22an4 to connect to R) via SS! Een pro2pte4 for te pa..wor43 enter te pa..wor4 Admin,#pa)) configure4 for te -oca- a42ini.trator! <.e te show ip ssh co22an4 to .ee te configure4 .etting.!


Page " of 6

CCNA Security

Step 4#.

Verify timestamps ,TP status for "1 and P$-+.

Step 4%.

Test $/+$ firewall on "1.

•

Ping fro2 PC*A to R at 10!!! %.ou-4 .uccee4(!

•

Te-net fro2 PC*A to R 10!!! %.ou-4 .uccee4(!

•

Ping fro2 R to PC*A at 1 9!1"#!1!) %.ou-4 fai-(!

Step 4(.

Test 6P7 firewall on "3.

•

Ping fro2 PC*C to R at 10!!! %.ou-4 .uccee4(!

•

Te-net fro2 PC*C to R at 10!!! %.ou-4 .uccee4(!

•

Ping fro2 R to PC*C at 19!1"#!)!$ %.ou-4 fai-(!

•

Te-net fro2 R to R) at 10!!!1 %.ou-4 fai-  on-y SS i. a--owe4(!

Step 4).

Verify port security.

On S3 u.e te show run co22an4 to confir2 tat S a. a44e4 a .ticky >AC a44re.. for Fa0/1#! Ti. .ou-4 5e te >AC a44re.. of PC*,! Recor4 te >AC a44re.. for -ater u.e! Se-ect PC*,! o to te %onfig ta5! Se-ect 9ast.thernet un4er te +nterface .ection! '4it te >AC a44re.. fie-4! Ti. .ou-4 cau.e a port .ecurity vio-ation an4 S .ou-4 .ut 4own port Fa0/1#! <.e te show interface 9a,;#4 co22an4 to view te .tatu. of te port! Te port .ou-4 5e in te e rr* 4i.a5-e4 .tate! On PC*,3 go to te %onfig ta5! Se-ect 9ast.thernet un4er te +nterface .ection! Cange te >AC a44re.. to anoter a44re..! Fro2 interface configuration 2o4e on .witc S for Fa0/1#3 u .e te no switchport port7security mac7 address sticky address co22an4 to re2ove te origina- PC*, -earne4 a44re..! Sut4own an4 ten re*ena5-e te Fa0/1# interface! On S3 u.e te show run co22an4 to confir2 tat te port co2e. up an4 tat te new >AC a44re.. a. 5een -earne4! *ote$ +f it i. 4e.ire4 to reconnect te PC wit te origina- >AC a44re..3 you can .i2p-y cange te >AC a44re.. on te PC 5ack to te origina- one an4 i..ue te shutdown an4 no shut down co22an4. on port Fa0/1#! +f te PC or a N+C i. 5eing rep-ace4 an4 wi-- ave a new >AC a44re..3 you 2u.t fir.t re2ove te o-4 -earne4 a44re..!

Step 4*.

$ec results.

8our co2p-etion percentage .ou-4 5e 100G! C-ick %heck (esults to .ee fee45ack an4 verification of wic reHuire4 co2ponent. ave 5een co2p-ete4!


Page 6 of 6

En Security Chp9 PTActA Secure-Network Student

Recommend Documents