Configure a Network for Secure Operation

作者:admin发表时间:2010-11-12 评论:0 点击 8,827+

Topology Diagram

Addressing Table

Device

Interface

IP Address

Subnet Mask

Default Gateway

Switch Port

R1

FA0/1

192.168.1.1

255.255.255.0

N/A

S1 FA0/5

 

S0/0/0 (DCE)

10.1.1.1

255.255.255.252

N/A

N/A

R2

S0/0/0

10.1.1.2

255.255.255.252

N/A

N/A

 

S0/0/1 (DCE)

10.2.2.2

255.255.255.252

N/A

N/A

R3

FA0/1

192.168.3.1

255.255.255.0

N/A

S3 FA0/5

 

S0/0/1

10.2.2.1

255.255.255.252

N/A

N/A

PC-A

NIC

192.168.1.5

255.255.255.0

192.168.1.1

S1 FA0/6

PC-B

NIC

192.168.1.6

255.255.255.0

192.168.1.1

S2 FA0/18

PC-C

NIC

192.168.3.5

255.255.255.0

192.168.3.1

S3 FA0/6

Learning Objectives

Secure the routers with strong passwords, password encryption and a login banner.

Secure the console and VTY lines with passwords.

Configure local AAA authentication.

Configure SSH server.

Configure router for syslog.

Configure router for NTP.

Secure the router against login attacks.

Configure CBAC and ZPF firewalls.

Secure network switches.

Introduction

In this comprehensive practice activity, you will apply a combination of security measures that were introduced in the course. These measures are listed in the objectives.

In the topology, R1 is the edge outer for the Company A while R3 is the edge router for Company B. These networks are interconnected via the R2 router which represents the ISP. You will configure various security features on the routers and switches for Company A and Company B. Not all security features will be configured on R1 and R3.

The following preconfigurations have been made:

Hostnames on all devices

IP addresses on all devices

R2 console password: ciscoconpa55

R2 password on VTY lines: ciscovtypa55

R2 enable password: ciscoenpa55

Static routing

Syslog services on PC-B

DNS lookup has been disabled

IP default gateways for all switches

Task 1: Test Connectivity and Verify Configurations

S tep 1. V er ify IP a ddr es s es .

R1# show ip interface brief

R1# show run

S tep 2. V er ify ro u ting ta ble s .

R1# show ip route

S tep 3. T es t c o nnec tiv ity .

From PC-A, ping PC-C at IP address 192.168.3.5.

Task 2: Secure the Routers

S tep 1. S et minimu m a pa s s wo rd length o f 10 c h a ra c ter s o n ro u ter R 1 a nd R 3.

R1(config)# security passwords min-length 10

R3(config)# security passwords min-length 10

S tep 2. C o nfigu re a n en a ble s ec r et pa s s wo rd o n ro u ter R 1 a nd R 3.

Use an enable secret password of ciscoenpa55.

R1(config)# enable secret ciscoenpa55

R3(config)# enable secret ciscoenpa55

S tep 3. E nc r y pt pla intex t pa s s wo rds .

R1(config)# service password-encryption

R3(config)# service password-encryption

S tep 4. C o nfigu re the c o ns o le lin es o n R1 a nd R 3.

Configure a console password of ciscoconpa55 and enable login. Set the exec-timeout to log out after 5

minutes of inactivity. Prevent console messages from interrupting command entry.

R1(config)# line console 0

R1(config-line)# password ciscoconpa55

R1(config-line)# exec-timeout 5 0

R1(config-line)# login

R1(config-line)# logging synchronous

R3(config)# line console 0

R3(config-line)# password ciscoconpa55

R3(config-line)# exec-timeout 5 0

R3(config-line)# login

R3(config-line)# logging synchronous

S tep 5. C o nfigu re v ty lines o n R 1.

Configure a vty line password of ciscovtypa55 and enable login. Set the exec-timeout to log out after 5

minutes of inactivity. Set the login authentication to use the default AAA list to be defined later.

R1(config)# line vty 0 4

R1(config-line)# password ciscovtypa55

R1(config-line)# exec-timeout 5 0

R1(config-line)# login authentication default

Note: The vty lines on R3 will be configured for SSH in a later task.

S tep 6. C o nfigu re lo gin ba nne r o n R 1 a nd R 3.

Configure a warning to unauthorized users with a message-of-the-day (MOTD) banner that says: “No

Unauthorized Access!”.

R1(config)# banner motd $No Unauthorized Access!$

R3(config)# banner motd $No Unauthorized Access!$

Task 3: Configure Local Authentication on R1 and R3

S tep 1. C o nfigu re the lo c a l u s er da ta ba s e.

Create a local user account of Admin01 with a secret password of Admin01pa55.

R1(config)# username Admin01 privilege 15 secret Admin01pa55

R3(config)# username Admin01 privilege 15 secret Admin01pa55

S tep 2. E na ble A A A s erv ic e s .

R1(config)# aaa new-model

R3(config)# aaa new-model

S tep 3. Implement A A A s e rv ic es u s ing the lo c a l da ta ba s e.

Create the default login authentication method list using local authentication with no backup method.

R1(config)# aaa authentication login default local none

R3(config)# aaa authentication login default local none

Task 4: Configure NTP

S tep 1. E na ble N T P a u thentic a tio n o n P C -A.

On PC-A, choose the Config tab, and then the NTP button. Select On for NTP service. Enable authentication and enter a Key of 1 and a password of ciscontppa55.

S tep 1. C o nfigu re R 1 a s a n N T P C lient.

Configure NTP authentication Key 1 with a password of ciscontppa55. Configure R1 to synchronize with the

NTP server and authenticate using Key 1.

R1(config)# ntp authenticate

R1(config)# ntp authentication-key 1 md5 ciscontppa55

R1(config)# ntp trusted-key 1

R1(config)# ntp server 192.168.1.5 key 1

S tep 2. C o nfigu re ro u ter s to u pda te ha rdwa re c lo c k .

Configure routers to periodically update the hardware clock with the time learned from NTP.

R1(config)# ntp update-calendar

Task 5: Configure R1 as Syslog Client

S tep 1. C o nfigu re R 1 to tim es ta m p lo g mes s a ges .

Configure timestamp service for logging on the routers.

R1(config)# service timestamps log datetime msec

S tep 2. C o nfigu re R 1 to lo g m es s a ges to the s y s lo g s erv er .

Configure the routers to identify the remote host (syslog server) that will receive logging messages.

R1(config)# logging 192.168.1.6

You should see a console message similar to the following:

SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 192.168.1.6 port 514 started

– CLI initiated

S tep 3. C hec k fo r s y s lo g mes s a g es o n P C -B .

On R1, exit config mode to generate a syslog message. Open the syslog server on PC-B to view the message sent from R1. You should see a message similar to the following on the syslog server:

%SYS-5-CONFIG_I: Configured from console by console

Task 6: Secure Router Against Login Attacks

S tep 1. L o g u ns u c c es s fu l lo gin a ttempts to R 1.

R1(config)# login on-failure log

S tep 2. T elnet to R 1 fro m P C -A.

Telnet from PC-A to R1 and provide the username Admin01 and password Admin01pa55. The Telnet should be successful.

S tep 3. T elnet to R 1 fro m P C -A a nd c hec k s y s lo g mes s a g es o n the s y s lo g s erv er .

Exit from the current Telnet session and Telnet again to R1 using the username of baduser and any password. Check the syslog server on PC-B. You should see an error message similar to the following that is generated by the failed login attempt.

SEC_LOGIN-4-LOGIN_FAILED:Login failed [user:baduser] [Source:192.168.1.5] [localport:23] [Reason:Invalid login] at 15:01:23 UTC Wed June 17 2009

Task 7: Configure SSH on R3

S tep 1. C o nfigu re a do ma in na me .

Configure a domain name of ccnasecurity.com on R3.

R3(config)# ip domain-name ccnasecurity.com

S tep 2. C o nfigu re the inc o ming v ty lines o n R 3.

Use the local user accounts for mandatory login and validation and accept only SSH connections.

R3(config)# line vty 0 4

R3(config-line)# exec-timeout 5 0

R3(config-line)# login local

R3(config-line)# transport input ssh

S tep 3. C o nfigu re R S A enc r y ptio n k e y p a ir fo r R 3.

Any existing RSA key pairs should be erased on the router. If there are no keys currently configured a message will be displayed indicating this. Configure the RSA keys with a modulus of 1024.

R3(config)# crypto key zeroize rsa

% No Signature RSA Keys found in configuration.

R3(config)# crypto key generate rsa [Enter]

The name for the keys will be: R3.ccnasecurity.com

Choose the size of the key modulus in the range of 360 to 2048 for your

General Purpose Keys. Choosing a key modulus greater than 512 may take a

few minutes.

How many bits in the modulus [512]:1024

% Generating 1024 bit RSA keys, keys will be non-exportable…[OK]

S tep 4. C o nfigu re S S H tim eo u ts a nd a u thentic a tio n pa ra m eters .

Set the SSH timeout to 90 seconds, the number of authentication retries to 2, and the version to 2.

R3(config)# ip ssh time-out 90

R3(config)# ip ssh authentication-retries 2

R3(config)# ip ssh version 2

Task 8: Configure CBAC on R1

S tep 1. C o nfigu re a na med IP A C L .

Create an IP ACL named OUT-IN to block all traffic originating from the outside network.

R1(config)# ip access-list extended OUT-IN R1(config-ext-nacl)# deny ip any any R1(config-ext-nacl)# exit

Apply the access list to incoming traffic on interface Serial 0/0/0.

R1(config)# interface s0/0/0

R1(config-if)# ip access-group OUT-IN in

S tep 2. S tep 3. C o nfirm tha t tra ffic entering interfa c e S eria l 0/0/0 is dro pped.

From the PC-A command prompt, ping PC-C. The ICMP echo replies are blocked by the ACL.

S tep 3. C rea te a n ins pec tio n ru le to ins pec t IC MP , T elnet a nd H T T P tra ffic .

Create an inspection rule named IN-OUT-IN to inspect ICMP, Telnet and HTTP traffic.

R1(config)# ip inspect name IN-OUT-IN icmp

R1(config)# ip inspect name IN-OUT-IN telnet

R1(config)# ip inspect name IN-OUT-IN http

S tep 4. A pply the ins pec t ru le to the o u ts ide inte rfa c e.

Apply the IN-OUT-IN inspection rule to the interface where traffic exits to outside networks.

R1(config)# interface s0/0/0

R1(config-if)# ip inspect IN-OUT-IN out

S tep 5. T es t o pera tio n o f the ins pec tio n ru le .

From the PC-A command prompt, ping PC-C. The ICMP echo replies should be inspected and allowed through.

Task 9: Configure ZPF on R3

S tep 1. T es t c o nnec tiv ity .

Verify that the internal host can access external resources.

? From PC-C, test connectivity with ping and Telnet to R2; all should be successful.

? From R2 ping to PC-C. The pings should be allowed.

S tep 2. C rea te the firewa ll z o nes .

Create an internal zone named IN-ZONE.

R3(config)# zone security IN-ZONE

Create an external zone named OUT-ZONE.

R3(config)# zone security OUT-ZONE

S tep 3. C rea te a n A C L tha t define s interna l tra ffic .

Create an extended, numbered ACL that permits all IP protocols from the 192.168.3.0/24 source network to any destination. Use 101 for the ACL number.

R3(config)# access-list 101 permit ip 192.168.3.0 0.0.0.255 any

S tep 4. C rea te a c la s s ma p refer e nc ing the interna l tra ffic A C L .

Create a class map named IN-NET-CLASS-MAP to match ACL 101.

R3(config)# class-map type inspect match-all IN-NET-CLASS-MAP

R3(config-cmap)# match access-group 101

R3(config-cmap)# exit

S tep 5. S pec ify firewa ll po lic ies .

Create a policy map named IN-2-OUT-PMAP to determine what to do with matched traffic.

R3(config)# policy-map type inspect IN-2-OUT-PMAP

Specify a class type of inspect and reference class map IN-NET-CLASS-MAP.

R3(config-pmap)# class type inspect IN-NET-CLASS-MAP

Specify the action of inspect for this policy map

R3(config-pmap-c)# inspect

You should see the following console message:

%No specific protocol configured in class IN-NET-CLASS-MAP for inspection. All protocols will be inspected.”

Exit to the global config prompt.

R3(config-pmap-c)# exit

R3(config-pmap)# exit

S tep 6. A pply firewa ll po lic ies .

Create a zone pair named IN-2-OUT-ZPAIR. Specify the source and destination zones that were created earlier.

R3(config)# zone-pair security IN-2-OUT-ZPAIR source IN-ZONE destination OUT-ZONE

Attach a policy map and actions to the zone pair referencing the policy map previously created, IN-2-OUT- PMAP.

R3(config-sec-zone-pair)# service-policy type inspect IN-2-OUT-PMAP

Exit to the global config prompt and assign the internal and external interfaces to the security zones.

R3(config)# interface fa0/1

R3(config-if)# zone-member security IN-ZONE

R3(config-if)# interface s0/0/1

R3(config-if)# zone-member security OUT-ZONE

S tep 7. T es t firewa ll fu nc tio na lity .

Verify that the internal host can still access external resources.

? From PC-C, test connectivity with ping and Telnet to R2; all should be successful.

? From R2 ping to PC-C. The pings should now be blocked.

Task 10: Secure the Switches

S tep 1. C o nfigu re a n en a ble s ec r et pa sswo rd o n a ll switc hes.

Use an enable secret password of ciscoenpa55.

S1(config)# enable secret ciscoenpa55

S tep 2. E nc r y pt pla intex t pa s s wo rds .

S1(config)# service password-encryption

S tep 3. C o nfigu re the c o ns o le lin es o n a ll s witc hes .

Configure a console password of ciscoconpa55 and enable login. Set the exec-timeout to log out after 5

minutes of inactivity. Prevent console messages from interrupting command entry.

S1(config)# line console 0

S1(config-line)# password ciscoconpa55

S1(config-line)# exec-timeout 5 0

S1(config-line)# login

S1(config-line)# logging synchronous

S tep 4. C o nfigu re v ty lines o n a ll s witc hes .

Configure a vty line password of ciscovtypa55 and enable login. Set the exec-timeout to log out after 5

minutes of inactivity. Set the basic login parameter.

S1(config)# line vty 0 4

S1(config-line)# password ciscovtypa55

S1(config-line)# exec-timeout 5 0

S1(config-line)# login

S tep 5. S ec u re tru nk po rts o n S 1 a nd S 2.

Configure port Fa0/1 on S1 as a trunk port.

S1(config)# interface FastEthernet 0/1

S1(config-if)# switchport mode trunk

Configure port Fa0/1 on S2 as a trunk port.

S2(config)# interface FastEthernet 0/1

S2(config-if)# switchport mode trunk

Verify that S1 port Fa0/1 is in trunking mode.

S1# show interfaces trunk

Set the native VLAN on S1 and S2 trunk ports to an unused VLAN 99.

S1(config)# interface Fa0/1

S1(config-if)# switchport trunk native vlan 99

S1(config-if)# end

S2(config)# interface Fa0/1

S2(config-if)# switchport trunk native vlan 99

S2(config-if)# end

Set the trunk ports on S1 and S2 so that they do not negotiate by turning off the generation of DTP frames.

S1(config)# interface Fa0/1

S1(config-if)# switchport nonegotiate

S2(config)# interface Fa0/1

S2(config-if)# switchport nonegotiate

Enable storm control for broadcasts on the S1 and S2 trunk ports with a 50 percent rising suppression level.

S1(config)# interface FastEthernet 0/1

S1(config-if)# storm-control broadcast level 50

S2(config)# interface FastEthernet 0/1

S2(config-if)# storm-control broadcast level 50

S tep 6. S ecu re a cce s s po rts .

Disable trunking on S1, S2 and S3 access ports.

S1(config)# interface FastEthernet 0/5

S1(config-if)# switchport mode access

S1(config-if)# interface FastEthernet 0/6

S1(config-if)# switchport mode access

S2(config)# interface FastEthernet 0/18

S2(config-if)# switchport mode access

S3(config)# interface FastEthernet 0/5

S3(config-if)# switchport mode access

S3(config-if)# interface FastEthernet 0/6

S3(config-if)# switchport mode access

Enable PortFast on S1, S2, and S3 access ports.

S1(config)# interface FastEthernet 0/5

S1(config-if)# spanning-tree portfast

S1(config-if)#interface FastEthernet 0/6

S1(config-if)# spanning-tree portfast

S2(config)# interface FastEthernet 0/18

S2(config-if)# spanning-tree portfast

S3(config)# interface FastEthernet 0/5

S3(config-if)# spanning-tree portfast

S3(config-if)# interface FastEthernet 0/6

S3(config-if)# spanning-tree portfast

Enable BPDU guard on the switch ports previously configured as access only.

S1(config)# interface FastEthernet 0/5

S1(config-if)# spanning-tree bpduguard enable

S1(config-if)# interface FastEthernet 0/6

S1(config-if)# spanning-tree bpduguard enable

S2(config)# interface FastEthernet 0/18

S2(config-if)# spanning-tree bpduguard enable

S3(config)# interface FastEthernet 0/5

S3(config-if)# spanning-tree bpduguard enable

S3(config-if)# interface FastEthernet 0/6

S3(config-if)# spanning-tree bpduguard enable

Enable basic default port security on all end-user access ports that are in use. Use the sticky option. Re- enable each access port to which port security was applied.

S1(config)# interface FastEthernet 0/5

S1(config-if)# shutdown

S1(config-if)# switchport port-security

S1(config-if)# switchport port-security mac-address sticky

S1(config-if)# no shutdown

S1(config-if)# interface FastEthernet 0/6

S1(config-if)# shutdown

S1(config-if)# switchport port-security

S1(config-if)# switchport port-security mac-address sticky

S1(config-if)# no shutdown

S2(config)# interface FastEthernet 0/18

S2(config-if)# shutdown

S2(config-if)# switchport port-security

S2(config-if)# switchport port-security mac-address sticky

S2(config-if)# no shutdown

S3(config)# interface FastEthernet 0/5

S3(config-if)# shutdown

S3(config-if)# switchport port-security

S3(config-if)# switchport port-security mac-address sticky

S3(config-if)# no shutdown

S3(config-if)# interface FastEthernet 0/6

S3(config-if)# shutdown

S3(config-if)# switchport port-security

S3(config-if)# switchport port-security mac-address sticky

S3(config-if)# no shutdown

Disable any ports not being used on each switch.

S1(config)# interface range Fa0/2 – 4

S1(config-if-range)# shutdown

S1(config-if-range)# interface range Fa0/7 – 24

S1(config-if-range)# shutdown

S1(config-if-range)# interface range gigabitethernet1/1 – 2

S1(config-if-range)# shutdown

S2(config)# interface range Fa0/2 – 17

S2(config-if-range)# shutdown

S2(config-if-range)# interface range Fa0/19 – 24

S2(config-if-range)# shutdown

S3(config-if-range)# interface range gigabitethernet1/1 – 2

S2(config-if-range)# shutdown

S3(config)# interface range Fa0/1 – 4

S3(config-if-range)# shutdown

S3(config-if-range)# interface range Fa0/7 – 24

S3(config-if-range)# shutdown

S3(config-if-range)# interface range gigabitethernet1/1 – 2

S3(config-if-range)# shutdown

Task 11: Verification

S tep 1. T es t S S H c o nfigu ra tio n.

Attempt to connect to R3 via Telnet from PC-C.

From PC-C, enter the command to connect to R3 via Telnet at IP address 192.168.3.1.

This connection should fail, since R3 has been configured to accept only SSH connections on the virtual terminal lines.

From PC-C, enter the ssh –l Admin01 192.168.3.1 command to connect to R3 via SSH.

When prompted for the password, enter the password Admin01pa55 configured for the local administrator. Use the show ip ssh command to see the configured settings.

R3# show ip ssh

SSH Enabled – version 2.0

Authentication timeout: 90 secs; Authentication retries: 2

S tep 2. V er ify times ta mps , N T P s ta tu s fo r R 1 a nd P C -A.

R1# show clock

*17:28:49.898 UTC Tue May 19 2009

R1# show ntp status

Clock is synchronized, stratum 2, reference is 192.168.1.5

nominal freq is 250.0000 Hz, actual freq is 249.9990 Hz, precision is

2**19

reference time is CD99AF95.0000011B (15:00:37.283 UTC Tue May 19 2009)

clock offset is 0.00 msec, root delay is 0.00 msec

root dispersion is 0.02 msec, peer dispersion is 0.02 msec.

S tep 3. T es t C B A C firewa ll o n R 1.

? Ping from PC-A to R2 at 10.2.2.2 (should succeed)

? Telnet from PC-A to R2 10.2.2.2 (should succeed)

? Ping from R2 to PC-A at 192.168.1.3 (should fail)

S tep 4. T es t ZP F firewa ll o n R 3.

? Ping from PC-C to R2 at 10.2.2.2 (should succeed)

? Telnet from PC-C to R2 at 10.2.2.2 (should succeed)

? Ping from R2 to PC-C at 192.168.3.5 (should fail)

? Telnet from R2 to R3 at 10.2.2.1 (should fail – only SSH is allowed)

S tep 5. V er ify po rt s ec u rity .

On S2, use the show run command to confirm that S2 has added a sticky MAC address for Fa0/18. This should be the MAC address of PC-B. Record the MAC address for later use.

S2#show run

Building configuration…

<output omitted>

interface FastEthernet0/18

switchport mode access

switchport port-security

switchport port-security mac-address sticky

switchport port-security mac-address sticky 0001.435D.3057 spanning-tree portfast

spanning-tree bpduguard enable

<output omitted>

Select PC-B. Go to the Config tab. Select FastEthernet under the Interface section. Edit the MAC

address field. For example, change it from 0001.435D.3057 to 0001.435D.AAAA. This should cause a port security violation and S2 should shut down port Fa0/18.

Use the show interface Fa0/18 command to view the status of the port. The port should be in the err- disabled state.

S2#show int fa0/18

FastEthernet0/18 is down, line protocol is down (err-disabled)

<output omitted>

S2#show port-security

Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action

(Count) (Count) (Count)

——————————————————————–

Fa0/18 1 1 1 Shutdown

———————————————————————-

On PC-B, go to the Config tab. Select FastEthernet under the Interface section. Change the MAC

address to another address. For example, change it from 0001.435D.AAAA to 0001.435D.BBBB.

From interface configuration mode on switch S2 for Fa0/18, use the no switchport port-security mac- address sticky address command to remove the original PC-B learned address.

S2(config)# int fa0/18

S2(config-if)# no switchport port-security mac-address sticky

0001.435D.3057

Shutdown and then re-enable the Fa0/18 interface.

S2(config)# int fa0/18

S2(config-if)# shutdown

S2(config-if)# no shutdown

On S2, use the show run command to confirm that the port comes up and that the new MAC address has been learned.

S2#show run

Building configuration…

<output omitted>

interface FastEthernet0/18

switchport mode access switchport port-security

switchport port-security mac-address sticky

switchport port-security mac-address sticky 0001.435D.BBBB

spanning-tree portfast

spanning-tree bpduguard enable

<output omitted>

Note: If it is desired to reconnect the PC with the original MAC address, you can simply change the MAC address on the PC back to the original one and issue the shutdown and no shut down commands on port Fa0/18. If the PC or a NIC is being replaced and will have a new MAC address, you must first remove the old learned address.

S tep 6. C hec k resu lts.

Your completion percentage should be 100%. Click Check Results to see feedback and verification of which required components have been completed.

顶一下 1 踩一下 0

你可能对以下内容感兴趣!

  1. Configure and Verify a Si...
  2. Layer 2 VLAN Security
  3. Layer 2 Security
  4. Configure IOS Intrusion P...
  5. Configuring Context-Based...
  6. Configure IP ACLs to Miti...
  7. Configure AAA Authenticat...
  8. Configure Cisco Routers f...

发表评论

*

w_0002.gif w_0009.gif w_0007.gif w_0011.gif w_0005.gif w_0008.gif w_0010.gif w_0003.gif w_0012.gif w_0001.gif w_0006.gif