PT Activity: Configure a Network for Secure Operation Instructor Version Topology Diagram ‘CBAC Frewall S&S 35H Server a RSD zor Frew MIP Server Syshn Sever so chee wales 192160.16 19216885 Addressing Table CC eC me od Ri_| FAQ 192.1681.1 [2552552550 | NIA ST FADS ‘sor0/0 (CE) | 704.44 255.256 265.252 | NIA NA R2___| Soo 404.42 255,255.256.252 | NIA NA SOT (DCE) | 10222 255.255 255.252 | NIA NA Ra__| FAQ je2ieaat | 2582552550 | NIA ‘53 FAQS SOOT 102.24 255,286 266.252 | NA NA PCA_ | NIC 79216815 | 255.255.2550 | 192.168.1.1 ST FAOG Pca | NIC v9216ai16 | 2552552550 | 192.168.11 S2 FAOa Poc_| NIC 19216835 [265.256.2550 | 192,168.31 53 FADELear 9 Objectives ‘Secure the rauters with strong passwords, password encryption and a login banner. ‘Secure the console and VTY lines with passwords. Configure local AAA authentication Configure SSH server Configure router for systog. Configure router for NTP. ‘Secure the router against login attacks. Configure CBAC and ZPF firewalls. Secure network switches. Introduction In this comprehensive practice activity, you will apply a combination of security measures that were inlroduced in the course. These measures are sted in the objectives. In the topology, Rt is the edge outer for the Company A while R3 is the edge router for Company B. These networks are interconnected via the R2 router which represents the ISP. You will configure various security features on the routers and switches for Company A and Company B. Not all security features will be ‘configured on R' and R3. The following preconfigurations have been made: Task 1: Step 1. Step 2 Step 3 Hostnames on all devices IP adgresses on all devices, R2 console password: ciscoconpa5 R2 password on VTY lines: ciscovtypa65 R2 enable password: ciscoenpa5s Static routing Syslog services on PCB DNS lookup has been disabled IP default gateways for all switches ‘Test Connectivity and Verify Configurations Verity IP addresses LY show ip interface brisé ELS show ron Verity routing tables Rif show ip route Test connectivity From POA, ping PC-C at IP address 192.168.36 Task 2: ‘Secure the Routers Step 1. Set minimum a password length of 10 characters on router RI and R3, Ri (config) # security passwords min-Length 10Step 2. Configure an enable secrat password on router R1 and 83. Use an enable secret password of ciscoenpa6s. Stop 3. Encrypt plaintext passwords Step 4. Configure the console lines on R1 and R3. Configure a console password of eiseoeonpaés and enable login Set the exee-tameont to log aut after 6 ‘minutes of inactivity. Prevent console messages from inferupting command enty. Step 5. Configure vty lines on R1. Configure a viy ine password of ciscovtypa8S and enable login. Set the exec-timeont to log out after 8 ‘minutes of inactivity. Set the login authentication to use the default AA list to be defined later. Note: The vty lines on R3 wall be configured for SSH in a later task. Step 6. Configure login banner on R1 and R3, Configure @ waming to unauthorized users with a message-of the-day (MOTD) banner that says: "= Unauthorized Access! Task 3: Configure Local Authentication on R1 and R3 Step 1. Configure the local user database. (Create a local user account of Admin01 with a secret password of Admind1ppag6,Step 2. Enable AAA services, Step 3, Implement AAA services using the local database. Create the default login authentication method ist using local authentication with no backup method. i 3 Task 4: Step 1. Enable NTP authentication on PC-A. On PC-A, choose the Contig tab, and then the NTP button, Select On for NTP service. Enable authentication and enter a Key of 4 and a passwod of eiscontppaSB, Step 1. Configure R1 as an NTP Client. Configure NTP authentication Key 1 with a password of ciscentppaS6, Configure Ri to synchronize withthe NTP server and authenticate using Key 1. Task 5: Configure R1 as Syslog Client Step 1. Configure R1 to timestamp log messages. ‘Configure timestamp service for logging on the routers, Step 2. Configure R1 to log messages to the syslog server. ‘Configure the routers to identi the remote host (syslog server) that will receive logging messages. ‘You should see a console message similar tothe following: 1 Logging to host 192.168.1.€ port S14 etarted Step 3. Check for syslog messages on PC-B. (On Ri, exit contig mode to generate a sysiog message. Open the syslog server on PC-B to view the message sent from Ri. You should see a message similar to the folowing on the syslog server:Task 6: Secure Router Against Login Attacks Step 1. Log unsuccessful login attempts to R1. as Step 2. Telnet to R1 from PC-A. ‘Telnet from PC-A to Rt and provide the username Admin’ and password AdminOtpa8S. The Telnet should be successtu Step 3. Telnet to R1 from PC-A and check syslog messages on the syslog server. Exitfrom the current Tenet session and Telnet again to Ri using the usemame of baduser and any password ‘Check the syslog server on PC-B. You should see an error message simi to the folowing that is generated by the failed log alterpt s8¢_LosIN-{-LoGIM_FATLED‘Hogin failed [uosrsbaduser] [source +152-166-1.5) [ecaiport:23] (Reason:iavaiia login] at 15:01:23 UEC wed June 17 2005 Task Configure SSH on R3 Step 1. Configure @ domain name. CContqure a domain name of eenasecurity.com on R3. ‘Step 2. Configure the incoming vty lines on R3. Use the local user accounts for mandatory login and validation and accept only SSH connections, Step 2. Configure RSA encryption key pall for R3. [Any existing RSA key pairs should be erased on the router. tfthere are no keys currerily configured a message willbe displayed indicating this. Configue the RSA keys with a modulus of 1024, SEcrbng nde tt TaGt hayes bape st he soap) Step 4, Configure SSH timeouts and authentic. ‘Set the SSH timeout to 80 seconds, the number of authentication retries to 2, and the version to 2, n parameters.2 (senfig)# ip seh version 2 Task 8: Configure CBAC on R1 Step 1. Configure a named IP ACL Create an IP ACL named OUT-IN to block all traffic onginating from the outside network Ai (config) # ip access-list extended our-mN Bl (config-ext-nacl)# deny ip any any Ri [config-ext-nacl)# exit Apply the access list to incoming traffic on intertace Serial 0/10 ki (contig) intertace 20/0/0 Ri (contig if)# ip access-group OUF-EN an ‘Step 2. Step 3. Confirm that traffic entering interface Serial 0/0/0 is dropped. From the PC-A command prompt, ping PC-C. The ICMP echo replies are blocked by the ACL. Step 3. Create an inspection rule to inspect ICMP, Telnet and HTTP traffic. Create an inspection rule named IN-OUT4N to inspect ICMP, Teinet and HTTP traffic. Rl (config) # ip inspect name IN-OUI-IN icmp RL (config) # ip inspect nane IN-OUT-IN tolnst Ri(config)# ip inapect name IN-OUT-IN http, Step 4. Apply the inspect rule to the outside interface. Apply the IN-OUT-IN inspection rule to the interface where traffic exits to outside networks Bi (config)# interface 50/0/0 Bl (config-i£)# ip inspect IN-OUT-IN out Step 5. Test operation of the inspection rule. From the PC-A command prompt, ping PC-C. The ICMP echo replies should be inspected and allowed through. Task9: Configure ZPF on R3 Step 1. Test connectivity, Verity that the intemal host can access extemal resources, + From PC-C, test connectivity with ping and Teinet to R2; all should be successful = From R2 ping to PC-C. The pings should be allowed. Step 2. Create the firewall zones. Greate an internal zone named IN-ZONE, R3lconfig)# zone security IN-zoNE Greate an extemal zone named OUT-ZONE. 3 [config)# zone security OUT-Z0NE Step 3. Create an ACL that dofines internal trafic. Create an extended, numbered ACL that permits all IP protocols from the 182.188 3.0124 source network to any destination. Use 101 for the ACL number,3 (config) # access-1ist 101 penalt ip 192.168.3.0 0.0.0.255 any Step 4 Create a class map referencing the internal traffic ACL Create a class map named IN-NET-CLASS-MAP to match ACL 101 3 (config) # claso-map type inspect matoh-all IN-weT-cEASs-MAP 3 (configvemap)# match access-group 101 3 (config-omap)# exit Step 5. Specify firewall policies. Create a policy map named IN-2-OUT-PMAP to determine what to do with matched traffic. RS (config) # poliey-map type inspect IN-2-ovr-rMAr Specify 2 class type of inspect and reference class map IN-NET-CLASS-MAP. 3 (coufigepiiap)# Glass type inspect m-wer-crass-MaP ‘Specify the action of inspect for this policy map 3 (conig-pmap=e)#Anspect ‘You should see the following console message: Exitto the global config prompt. 2 (Goneigriaiap-e) 9 ext R3(config-rmap)# exit Step 6. Apply firewall policies. Create a zone pair named IN-2-OUT-ZPAIR. Specify the source and destination zones that were created eater (config)? zone-pair security IN-2-OUT-2PATR source TN-ZONE destination o0z-zoME ‘Attach a policy map and actions to the zone pair referencing the policy map previously created, IN-2-OUT- PMAP. sa (eeneie jec“zone-paiz)# sexvice-polley type inspect =N-2-our-Pae [Exit to the global config prompt and assign the intemal and extemal interfaces to the security zones. Ra(contig)# interface £a0/1 ES(configuif)# zone-member security TN-ZONE RO(contig-is)# interface 30/0/1 BS (config-if)f sone-member security OUT-Z0NE Step 7. Test firewall functionality. Verity that the intemal host can stil access external resources. ‘+ From PC-C, test connectivity with ping and Telnet to R2; all should be successful ‘+ From R2 ping to PC-C. The pings should now be blocked. Task 10: Secure the S hes Step 1. Configure an enable secret password on all switches Use an enable secret password of elscoenpass.Step 2. Encrypt plaintext passwords. Step 4. Configure the console lines on all switches. Configure a console password of elscocenpa6s and enable login. Set the exeo-timeont 10 log out ater 8 ‘minutes of inactivity. Prevent console messages from interrupting command entry. Step 4. Configure vty lines on all switches. Configure a viy ine password of elscovtypaé and enable login. Set the exee-timeout to log out afler 8 ‘minutes of inactivity. Set the basic login parameter. Step 5. Secure trunk ports on $1 and $2. Configure port FaQ/1 on St as a trunk port. Configure port Fa0/t on S2 as a trunk port ‘Verify that $1 port Fa0/1 is in trunking mode. Set the native VLAN on St and S2 trunk ports to an unused VLAN 99. Set the trunk ports on $1 and $2 so that they do not negotiate by turning off the generation of DTP frames. Enable storm control for broadcasts on the S1 and S2 trunk ports with a SO percent rising suppression level.Step 6. Secure access ports. _ Disable trunking on $1, $2 and $3 access ports. Enable PortFast on S1, $2, and S3 access ports.Enable BPDU guard on the switch ports previously configured as access only. Enable basic default port security on all end-user access ports that are in use. Use the sticky option. Re- ‘enable each access port to which port security was applied.neDisable any ports not being used on each switch. Task 11: Verification Step 1. Test SSH configuration. Attempt to connect to R3 via Telnet from PC-C. From PC-C, enter the command to connect to R3 via Telnet at IP address 192.168 3.1 ‘This connection should fail, since R3 has been configured to accept only SSH connections on the virtual terminal nes. From PC-C, enter the ssh 1 Admin04 192.168.3.1 command to connect to R3 via SSH When prompted for the password, enter the password Admin01pa8S configured for the local administrator. Use the show ip ssh command to see the configured settings. |Step 2. Verify timestamps, NTP status for RT and PC-A. ‘Stop 3. Test CBAC firewall on RI. ‘+ Ping from PC-A to R2 at 10.2.2.2 (should succeed) ‘+ Telnet from PC-A to R2 10.2.2.2 (should succeed) ‘+ Ping from R2 to PC-A at 192.168.1.3 (should fail) Stop 4. Test ZPF firewall on R3. + Ping from PCC to R2 at 10.2.2.2 (should succeed) + Telnet from PC-C to R2 at 10.2.2.2 (should succeed) ‘+ Ping from R2to PO-C at 192.168.3.5 (should fal) ‘+ Telnet rom R2 to R3 at 10.2.2.1 (should fail - only SSH is allowed) Step 5. Verify port security, ‘On 82, use the show run command to confirm that $2 has added a sticky MAC address for Fa0/18. ‘This should be the MAG address of PC-B. Record the MAC address for later use. Selet PCB, Go othe Config tab Select FastEthernat under the lnterface secton. El the MAC sires eld For example, ehange tem 00074380. 3067 160001 435D AAA. ‘This should cause a port security violation and $2 should shut down port Fa0/18.Use the show interface Fa0/18 command to view the status of the port. The port should be in the err- disabled state. | On PC-8, go to the Config tab. Select FastEthernet under the Interface section. Change the MAC address to another address, From interface configuration mode on switch S2 for FaQ/18, use the no switchport port-security mac- address sticky address command to remove the original PC-B leamed address | ‘Shutdown and then re-enable the Fa0/18 interface. On $2, use the show run command to confirm that the port comes up and that the new MAC address has been learned. r Note: If itis desired to reconnect the PC with the onginal MAC address, you can simply change the MAC ‘address on the PC back to the original one and issue the shutdown and no shut down commands on pport Fa0/18. Ifthe PC or 2 NIC is being replaced and will have a new MAC address, you must first remove the old leamed address Step 6. Check results. ‘Your completion percentage should be 100%. Click Check Results to see feedback and venfication of which required components have been completed