Redes
Enviado por pukaflc • 20 de Septiembre de 2014 • Tesina • 2.300 Palabras (10 Páginas) • 167 Visitas
ntroduction
In this comprehensive practice activity, you will apply a combination of security measures that were introduced in the course. These measures are listed in the objectives.
In the topology, R1 is the edge outer for the Company A while R3 is the edge router for Company B. These networks are interconnected via the R2 router which represents the ISP. You will configure various security features on the routers and switches for Company A and Company B. Not all security features will be configured on R1 and R3.
Learning Objectives
Secure the routers with strong passwords, password encryption and a login banner.
Secure the console and VTY lines with passwords.
Configure local AAA authentication.
Configure SSH server.
Configure router for syslog.
Configure router for NTP.
Secure the router against login attacks.
Configure CBAC and ZPF firewalls.
Secure network switches.
Task 1: Test Connectivity and Verify Configurations
Step 1. Verify IP addresses.
Step 2. Verify routing tables.
Step 3. Test connectivity.
From PC-A, ping PC-C at IP address 192.168.3.5.
Task 2: Secure the Routers
Step 1. Set minimum a password length of 10 characters on router R1 and R3.
R1(config)#security passwords min-length 10
Step 2. Configure an enable secret password on router R1 and R3.
Use an enable secret password of ciscoenpa55.
R1(config)#enable secret ciscoenpa55
Step 3. Encrypt plaintext passwords.
R1(config)#service password-encryption
Step 4. Configure the console lines on R1 and R3.
Configure a console password of ciscoconpa55 and enable login. Set the exec-timeout to log out after 5 minutes of inactivity. Prevent console messages from interrupting command entry.
R1(config-line)#password ciscoconpa55
R1(config-line)#login
R1(config-line)#exec-timeout 5
R1(config-line)#logging synchronous
Step 5. Configure vty lines on R1.
Configure a vty line password of ciscovtypa55 and enable login. Set the exec-timeout to log out after 5 minutes of inactivity. Set the login authentication to use the default AAA list to be defined later.
Note: The vty lines on R3 will be configured for SSH in a later task.
R1(config)#line vty 0 4
R1(config-line)#exec-timeout 5
R1(config-line)#password ciscovtypa 55
R1(config-line)#login
R1(config-line)#login authentication default
Step 6. Configure login banner on R1 and R3.
Configure a warning to unauthorized users with a message-of-the-day (MOTD) banner that says: “No Unauthorized Access!”
R1(config)#banner motd "No Unauthorized Access!"
Task 3: Configure Local Authentication on R1 and R3
Step 1. Configure the local user database.
Create a local user account of Admin01 with a secret password ofAdmin01pa55.
Step 2. Enable AAA services.
Step 3. Implement AAA services using the local database.
Create the default login authentication method list using local authentication with no backup method.
R1(config)#username Admin01 secret Admin01pa55
R1(config)#aaa new-model
R1(config)#aaa authentication login default local none
Task 4: Configure NTP
Step 1. Enable NTP authentication on PC-A.
On PC-A, choose the Config tab, and then the NTP button. SelectOn for NTP service. Enable authentication and enter a Key of 1and a password of ciscontppa55.
Step 2. Configure R1 as an NTP Client.
Configure NTP authentication Key 1 with a password ofciscontppa55. Configure R1 to synchronize with the NTP server and authenticate using Key 1.
Step 3. Configure routers to update hardware clock.
Configure routers to periodically update the hardware clock with the time learned from NTP.
R1(config)#ntp trusted-key 1
R1(config)#ntp server 192.168.1.5 key 1
R1(config)#ntp authentication-key 1 md5 ciscontppa55
R1(config)#ntp update-calendar
R1(config)#ntp authenticate
Task 5: Configure R1 as Syslog Client
Step 1. Configure R1 to timestamp log messages.
Configure timestamp service for logging on the routers.
Step 2. Configure R1 to log messages to the syslog server.
Configure the routers to identify the remote host (syslog server) that will receive logging messages.
You should see a console message similar to the following:
SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 192.168.1.6 port 514 started – CLI initiated
R1(config)#logging on
R1(config)#service timestamps log datetime msec
R1(config)#logging 192.168.1.6
Step 3. Check for syslog messages on PC-B.
On R1, exit config mode to generate a syslog message. Open the syslog server on PC-B to view the message sent from R1. You should see a message similar to the following on the syslog server:
%SYS-5-CONFIG_I: Configured from console by console
Task 6: Secure Router Against Login Attacks
Step 1. Log unsuccessful login attempts to R1.
R1(config)#login on-failure log
Step 2. Telnet to R1 from PC-A.
Telnet from PC-A to R1 and provide the username Admin01 and password Admin01pa55. The Telnet should be successful.
Step 3. Telnet to R1 from PC-A and check syslog messages on the syslog server.
Exit from the current Telnet session and Telnet again to R1 using the username of baduser and any password. Check the syslog server on PC-B. You should see an error message similar to the following that is generated by the failed login attempt.
SEC_LOGIN-4-LOGIN_FAILED:Login failed [user:baduser] [Source:192.168.1.5]
[localport:23] [Reason:Invalid login] at 15:01:23 UTC Wed June 17 2009
Task 7: Configure SSH on R3
Step 1. Configure a domain name.
Configure a domain name of ccnasecurity.com on R3.
R3(config)#ip domain name ccnasecurity.com
Step 2. Configure the incoming vty lines on R3.
Use the local user accounts for mandatory login and validation and accept only SSH connections.
R3(config)#line vty 0 4
R3(config-line)#login authentication default
R3(config-line)#transport input ssh
Step 3. Configure RSA encryption key pair for R3.
Any existing RSA key pairs should be erased on the router. If there are no keys currently configured a message
...