Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Download
Standard view
Full view
of .
Look up keyword
Like this
22Activity
0 of .
Results for:
No results containing your search query
P. 1
CCNA Security PT Practice SBA

CCNA Security PT Practice SBA

Ratings: (0)|Views: 1,800|Likes:
Published by kokiccna2012

More info:

Published by: kokiccna2012 on Jul 22, 2012
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as DOC, PDF, TXT or read online from Scribd
See more
See less

07/24/2013

pdf

text

original

 
CCNA Security PT Practice SBA -
 A few things to keep in mind while completing this activity:
1.
Do not use the browser 
Back
button or close or reload any Exam windows during the exam.
2.
Do not close Packet Tracer when you are done. It will close automatically.
3.
Click the
Submit Assessment
button to submit your work.
Introduction
In this practice Packet Tracer Skills Based Assessment, you will:
configure basic device hardening and secure network management
configure a CBAC firewall to implement security policies
configure devices to protect against STP attacks and to enable broadcast storm control
configure port security and disable unused switch ports
configure an IOS IPS
configure a ZPF to implement security policies
configure a site-to-site IPsec VPN
Addressing Table
DeviceInterfaceIP AddressSubnet MaskGatewayDNS serveInternet
S0/0/0209.165.200.225255.255.255.252n/an/aS0/0/1192.31.7.1255.255.255.252n/an/aS0/1/0198.133.219.1255.255.255.252n/an/aFa0/0192.135.250.1255.255.255.0n/an/a
CORP
S0/0/0209.165.200.226255.255.255.252n/an/aFa0/010.1.1.254255.255.255.0n/an/aFa0/1.10172.16.10.254255.255.255.0n/an/aFa0/1.25172.16.25.254255.255.255.0n/an/aFa0/1.99172.16.99.254255.255.255.0n/an/a
Branch
S0/0/0198.133.219.2255.255.255.252n/an/aFa0/0198.133.219.62255.255.255.224n/an/a
External
S0/0/0192.31.7.2255.255.255.252n/an/aFa0/0192.31.7.62255.255.255.224n/an/a
Public Svr 
NIC192.135.250.5255.255.255.0192.135.250.1n/a
External Web Svr 
NIC192.31.7.35255.255.255.224192.31.7.62192.135.250.5
External PC
NIC192.31.7.33255.255.255.224192.31.7.62192.135.250.5
NTP/Syslog Svr 
NIC172.16.25.2255.255.255.0172.16.25.25410.1.1.5
DMZ DNS Svr 
NIC10.1.1.5255.255.255.010.1.1.254192.135.250.5
DMZ Web Svr 
NIC10.1.1.2255.255.255.010.1.1.25410.1.1.5
PC0
NIC172.16.10.5255.255.255.0172.16.10.25410.1.1.5
PC1
NIC172.16.10.10255.255.255.0172.16.10.25410.1.1.5
Net Admin
NIC172.16.25.5255.255.255.0172.16.25.25410.1.1.5
Admin PC
NIC198.133.219.35255.255.255.224198.133.219.62192.135.250.5
Note:
 Appropriate verification procedures should be taken after each configuration task to ensure that it has been properlyimplemented.
 
Step 1: Configure Basic Device Hardening for the CORP Router.
a.
 
Configure the CORP router to only accept passwords with a minimum length of 10 characters.b.
 
Configure an encrypted privileged level password of 
ciscoclass
.c.
 
Enable password encryption for all clear text passwords in the configuration file.d.
 
Configure the console port and all vty lines with the following requirements:
Note:
CORP is already configured with the username
CORPADMIN
and the secret password
ciscoccnas
.
 
use the local database for login
 
disconnect after being idle for 20 minutese.
 
Disable the CDP protocol only on the link to the Internet router.
Step 2: Configure Secure Network Management for the CORP Router.
a.
 
Enable the CORP router:
 
as an NTP client to the NTP/Syslog server 
 
to update the router calendar (hardware clock) from the NTP time source
 
to timestamp log messages
 
to send logging messages to the NTP/Syslog server b.
 
Configure the CORP router to accept SSH connections. Use the following guidelines:
Note:
CORP is already configured with the username
SSHAccess
and the secret password
ciscosshaccess
.
 
domain name is
theccnas.com
 
RSA encryption key pair using a modulus of 
1024
 
SSH version
2
, timeout of 
90
seconds, and
2
authentication retries
 
all vty lines accept only SSH connectionsc.
 
Configure the CORP router with AAA authentication and verify its functionality:
 
 AAA authentication using the local database as the default for console line and vty lines access
Step 3: Configure Device Hardening for Switch1.
a.
 
 Access Switch1 with username
CORPADMIN
, password
ciscoccnas,
and the enable secret password of 
ciscoclass
.b.
 
Enable storm control for broadcasts on FastEthernet 0/24 with a
50
percent rising suppression level.c.
 
Configure Switch1 to protect against STP attacks.
 
Configure PortFast on FastEthernet ports 0/1 to 0/23.
 
Enable BPDU guard on FastEthernet ports 0/1 to 0/23.d.
 
Configure port security and disable unused ports.
 
Set the maximum number of learned MAC addresses to
2
on FastEthernet ports 0/1 to 0/23. Allow the MAC address to belearned dynamically and to shutdown the port if a violation occurs.
 
Disable unused ports (Fa0/2-5, Fa0/7-10, Fa0/13-23).
Step 4: Configure an IOS IPS on the CORP Router.
a.
 
On the CORP router, create a directory in flash named
ipsdir 
.b.
 
Configure the IPS signature storage location to be
flash:ipsdir 
.c.
 
Create an IPS rule named
corpips
.d.
 
Configure the IOS IPS to use the signature categories. Retire the
all
signature category and unretire the
ios_ipsbasic
category.e.
 
 Apply the IPS rule to the Fa0/0 interface.f.
 
Modify the
ios_ips basic
category. Unretire the
echo request
signature (signature
2004
, subsig
0
);
enable
the signature;modify the signature
event-action
to produce an alert and to deny packets that match the signature.
 
g.
 
Verify that IPS is working properly. Net Admin in the internal network cannot ping DMZ Web Svr. DMZ Web Svr, however,can ping Net Admin.
Step 5: Configure ACLs and CBAC on the CORP Router to Implement the Security Policy.
a.
 
Create ACL
12
to implement the security policy regarding the access to the vty lines:
 
Only users connecting from
Net Admin
and
Admin PC
are allowed access to the vty lines.b.
 
Create, apply, and verify an extended named ACL (named
DMZFIREWALL
) to filter incoming traffic to the DMZ. The ACLshould be created in the order specified in the following guidelines (
Please note, the order of ACL statements issignificant only because of the scoring need in Packet Tracer.
):1.
 
HTTP traffic is allowed to DMZ Web Svr.2.
 
DNS traffic (both TCP and UDP) is allowed to DMZ DNS Svr.3.
 
 All traffic from 172.16.25.0/24 is allowed to enter the DMZ.4.
 
FTP traffic from the Branch administrator workstations in the subnet of 198.133.219.32/27 is allowed to DMZ Web Svr.c.
 
To verify the
DMZFIREWALL
ACL, complete the following tests:
 
 Admin PC in the branch office can access the URL http://www.theccnas.com;
 
 Admin PC can open an FTP session to the DMZ Web Svr with the username
cisco
and the password
cisco
;
 
Net Admin can open an FTP session to the DMZ Web Svr with the username cisco and the password cisco; and
 
PC1 cannot open an FTP session to the DMZ Web Svr.d.
 
Create, apply, and verify an extended named ACL (named
INCORP
) to control access from the Internet into the CORProuter. The ACL should be created in the order specified in the following guidelines (
Please note, the order of ACLstatements is significant only because of the scoring need in Packet Tracer.
):1.
 
 Allow HTTP traffic to the DMZ Web Svr.2.
 
 Allow DNS traffic (both TCP and UDP) to the DMZ DNS Svr.3.
 
 Allow SSH traffic from the Branch Office administrator workstation to the Serial 0/0/0 interface on the CORP router.4.
 
 Allow IP traffic from the Branch router serial interface into the CORP router serial interface.5.
 
 Allow IP traffic from the Branch Office LAN to the public IP address range that is assigned to the CORP site(209.165.200.240/28).e.
 
To verify the
INCORP
ACL, complete the following tests:
 
 Admin PC in the branch office can access the URL http://www.theccnas.com;
 
 Admin PC can establish an SSH connection to the CORP router (209.165.200.226) with the username
SSHAccess
andpassword
ciscosshaccess
; and
 
External PC cannot establish an SSH connection to the CORP router (209.165.200.226).f.
 
Create and apply a CBAC inspection rule (named
INTOCORP
) to inspect ICMP, TCP, and UDP traffic between the CORPinternal network and any other network.g.
 
Enable CBAC audit messages to be sent to the syslog server.h.
 
Verify the CBAC firewall configuration.
 
PC1 can access the External Web Svr (www.externalone.com).
 
PC1 can establish an SSH connection to the External router with username
SSHadmin
and password
ciscosshpa55
.
 
 Admin PC in the Branch office can establish an SSH connection to the CORP router with the username
SSHAccess
andpassword
ciscosshaccess
.
Step 6: Configure a Zone-Based Policy Firewall on the Branch Router.
a.
 
 Access the Branch router with username
CORPADMIN
, password
ciscoccnas
and the enable secret passwordof 
ciscoclass
.b.
 
On the Branch router, create the firewall zones.
 
Create an internal zone named
BR-IN-ZONE
.

Activity (22)

You've already reviewed this. Edit your review.
1 hundred reads
1 thousand reads
Luis Miguel Custodio added this note
Y LOS COMANDO???????
Ayman Ali Ahmed liked this
realchecha liked this
Martin Xino Pozo liked this
Martin Xino Pozo liked this

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->