Professional Documents
Culture Documents
Describe the security threats facing modern network infrastructures Describe and list mitigation methods for common network attacks Describe and list mitigation methods for Worm, Virus, and Trojan Horse attacks Describe the Cisco Self Defending Network architecture
Secure Cisco routers Secure Cisco routers using the SDM Security Audit feature Use the One-Step Lockdown feature in SDM to secure a Cisco router Secure administrative access to Cisco routers by setting strong encrypted passwords, exec timeout, login failure rate and using IOS login enhancements Secure administrative access to Cisco routers by configuring multiple privilege levels Secure administrative access to Cisco routers by configuring role based CLI Secure the Cisco IOS image and configuration file
Implement AAA on Cisco routers using local router database and external ACS Explain the functions and importance of AAA Describe the features of TACACS+ and RADIUS AAA protocols Configure AAA authentication Configure AAA authorization Configure AAA accounting
Mitigate threats to Cisco routers and networks using ACLs Explain the functionality of standard, extended, and named IP ACLs used by routers to filter packets Configure and verify IP ACLs to mitigate given threats (filter IP traffic destined for Telnet, SNMP, and DDoS attacks) in a network using CLI Configure IP ACLs to prevent IP address spoofing using CLI Discuss the caveats to be considered when building ACLs
Implement secure network management and reporting Use CLI and SDM to configure SSH on Cisco routers to enable secured management access
Use CLI and SDM to configure Cisco routers to send Syslog messages to a Syslog server
Describe how to prevent layer 2 attacks by configuring basic Catalyst switch security features
Implement the Cisco IOS firewall feature set using SDM Describe the operational strengths and weaknesses of the different firewall technologies Explain stateful firewall operations and the function of the state table Implement Zone Based Firewall using SDM
Implement the Cisco IOS IPS feature set using SDM Define network based vs. host based intrusion detection and prevention Explain IPS technologies, attack responses, and monitoring options Enable and verify Cisco IOS IPS operations using SDM
Implement site-to-site VPNs on Cisco Routers using SDM Explain the different methods used in cryptography Explain IKE protocol functionality and phases Describe the building blocks of IPSec and the security functions it provides Configure and verify an IPSec site-to-site VPN with pre-shared key authentication using SDM
Step 3: Configure basic console, auxiliary port, and virtual access lines
R1(config)#line console 0 R1(config-line)#password ciscocon R1(config-line)#exec-timeout 5 0 R1(config-line)#login R1(config-line)#logging synchronous R1(config)#line aux 0 R1(config-line)#password ciscoauxpass R1(config-line)#exec-timeout 5 0 R1(config-line)#login R1(config)#line aux 0 R1(config-line)#password ciscoauxpass R1(config-line)#exec-timeout 5 0 R1(config-line)#login
R1(config)#exit
Task 5. Configure the SSH Server on Router R1 and R3 Using the CLI
Step 1: Configure a domain name.
Enter global configuration mode and set the domain name. R1#conf t R1(config)#ip domain-name ccnasecurity.com
Step 2: Configure a privileged user for login from the SSH client.
R1(config)#username admin privilege 15 secret cisco12345
R1(config-line)#exit
Step 5: Generate the RSA encryption key pair for the router.
The router uses the RSA key pair for authentication and encryption of transmitted SSH data. Configure the RSA keys with 1024 for the number of modulus bits. The default is 512, and the range is from 360 to 2048. R1(config)#crypto key generate rsa general-keys modulus 1024 R1(config)#exit % The key modulus size is 1024 bits % Generating 1024 bit RSA keys, keys will be non-exportable...[OK] R1(config)# *Dec 16 21:24:16.175: %SSH-5-ENABLED: SSH 1.99 has been enabled
Task 2. Create New Views for the Admin1, Admin2, and Tech Roles on R1 and R3
Step 1: Create the admin1 view, establish a password, and assign privileges.
R1(config)#parser view admin1 R1(config-view)# *Dec 16 22:45:27.587: %PARSER-6-VIEW_CREATED: view 'admin1 successfully created. <ENTER> Associate the admin1 view with an encrypted password. R1(config-view)#secret admin1pass R1(config-view)# Add all config, show, and debug commands to the admin1 view and then exit from view configuration mode. R1(config-view)#commands exec include all show R1(config-view)#commands exec include all config terminal R1(config-view)#commands exec include all debug R1(config-view)#end Verify the admin1 view. R1#enable view admin1 Password:admin1pass *Dec 16 22:56:46.971: %PARSER-6-VIEW_SWITCH: successfully set to view 'admin1' R1#show parser view R1#Current view is admin1
Step 2: Create the admin2 view, establish a password, and assign privileges.
R1#enable view Password:cisco12345 b. Use the following command to create the admin2 view. R1(config)#parser view admin2 R1(config-view)# *Dec 16 23:02:27.587: %PARSER-6-VIEW_CREATED: view 'admin2 successfully created. <ENTER> R1(config-view)#secret admin2pass R1(config-view)# d. Add all show commands to the view and then exit from view configuration mode. R1(config-view)#commands exec include all show R1(config-view)#end e. Verify the admin2 view. R1(config-view)#end R1#enable view admin2 Password: admin2pass *Dec 16 23:05:46.971: %PARSER-6-VIEW_SWITCH: successfully set to view 'admin2' R1#show parser view R1# Current view is admin2
Step 3: Create the tech view, establish a password, and assign privileges.
a. The Tech user typically installs end-user devices and cabling. Tech users are only allowed to use selected show commands. b. Use the enable view command to enable the root view, and enter the enable secret password cisco12345. R1#enable view Password:cisco12345 R1(config)#parser view tech R1(config-view)# *Dec 16 23:10:27.587: %PARSER-6-VIEW_CREATED: view 'tech successfully created. <ENTER> R1(config-view)#secret techpasswd R1(config-view)# R1(config-view)#commands exec include show version R1(config-view)#commands exec include show interfaces R1(config-view)#commands exec include show ip interface brief R1(config-view)#commands exec include show parser view R1(config-view)#end R1#enable view tech Password:techpasswd *Dec 16 23:13:46.971: %PARSER-6-VIEW_SWITCH: successfully set to view 'tech' R1#show parser view R1#Current view is tech g. Examine the commands available in the tech view. R1#? Exec commands: enable Turn on privileged commands exit Exit from the EXEC show Show running system information h. Examine the show commands available in the tech view. R1#show ? flash: display information about flash: file system interfaces Interface status and configuration ip IP information parser Show parser commands version System hardware and software status.
Step 2: Secure the Cisco IOS image and archive a copy of the running configuration.
R1(config)#secure boot-image .Dec 17 25:40:13.170: %IOS_RESILIENCE-5-IMAGE_RESIL_ACTIVE: Successfully secured running image R1(config)#secure boot-config .Dec 17 25:42:18.691: %IOS_RESILIENCE-5-CONFIG_RESIL_ACTIVE: Successfully secured config archive [flash:.runcfg-20081219-224218.ar] R1#show secure bootset IOS resilience router id FTX1111W0QF IOS image resilience version 12.4 activated at 25:40:13 UTC Wed Dec 17 2008 Secure archive flash:c1841-advipservicesk9-mz.124-20.T1.bin type is image (elf) [] file size is 37081324 bytes, run size is 37247008 bytes Runnable image, entry point 0x8000F000, run from ram IOS configuration resilience version 12.4 activated at 25:42:18 UTC Wed Dec 17 2008 Secure archive flash:.runcfg-20081219-224218.ar type is config configuration archive size 1986 bytes
R1(config)#service timestamps log datetime msec Configure the syslog service on the router to send syslog messages to the syslog server. R1(config)#logging 192.168.1.3
. . . . Here is a sample Security Banner to be shown at every access to device. Modify it to suit your . . . # Unauthorized Access Prohibited # Enable secret is either not configured or is the same as enable password Enter the new enable secret: cisco12345 Confirm the enable secret : cisco12345 Enter the new enable password: cisco67890 Confirm the enable password: cisco67890 Configuration of local user database Enter the username: admin Enter the password: cisco12345 Confirm the password: cisco12345 . . . no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply Disabling mop on Ethernet interfaces Securing Forwarding plane services... Enabling CEF (This might impact the memory requirements for your platform) Enabling unicast rpf on all interfaces connected to Internet .
Task 4. Use the SDM Security Audit Tool on R1 to Identify Security Risks
Step 2: Create an SDM user and enable the HTTP secure server on R1.
R1(config)#username admin privilege 15 secret 0 cisco12345 R1(config)#ip http secure-server R1(config)#ip http authentication local R1(config)#end
Step 2: Implement AAA services for console access using the local database.
aaa authentication login default method1[method2][method3] R3(config)#aaa authentication login default local none
Step 3: Create a AAA authentication profile for Telnet using the local database.
R3(config)#aaa authentication login TELNET_LINES local R3(config)#line vty 0 4 R3(config-line)#login authentication TELNET_LINES
Step 1: Verify that the system clock and debug time stamps are configured correctly. Step 2: Use debug to verify user access.
R3#debug aaa authentication AAA Authentication debugging is on R3# Dec 26 14:40:54.431: AAA: parse name=tty194 idb type=-1 tty=-1 Dec 26 14:40:54.431: AAA: name=tty194 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=194 channel=0 Dec 26 14:40:54.431: AAA/MEMORY: create_user (0x64BB5510) user='Admin01' ruser=' NULL' ds0=0 port='tty194' rem_addr='192.168.3.3' authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= (id=0)
Task 3: Configure R1 AAA Services and Access the RADIUS Server Using Cisco IOS
Step 1: Enable AAA on R1.
R1(config)#aaa new-model
Step 7: Create an authentication method list for Telnet and test it.
R1(config)#aaa authentication login TELNET_LINES group radius R1(config)#line vty 0 4
Task 5: (Optional) Configure R1 AAA Services and Access the RADIUS Server Using SDM
R1(config)#no ip domain-lookup
Step 4: Configure the EIGRP routing protocol on R1, R2, and R3.
R1(config)#router eigrp 101 R1(config-router)#network 192.168.1.0 0.0.0.255 R1(config-router)#network 10.1.1.0 0.0.0.3 R1(config-router)#no auto-summary R2(config)#router eigrp 101 R2(config-router)#network 10.1.1.0 0.0.0.3 R2(config-router)#network 10.2.2.0 0.0.0.3 R2(config-router)#no auto-summary R3(config)#router eigrp 101 R3(config-router)#network 192.168.3.0 0.0.0.255 R3(config-router)#network 10.2.2.0 0.0.0.3 R3(config-router)#no auto-summary
R1(config-ext-nacl)#end R1#show access-list autosec_firewall_acl Extended IP access list autosec_firewall_acl 10 permit udp any any eq bootpc 15 permit eigrp any any (5) 20 deny ip any any (10)
class-map type inspect match-any sdm-cls-insp-traffic match protocol cuseeme match protocol dns match protocol ftp match protocol h323 match protocol https match protocol icmp . . . class-map type inspect match-any SDM_EIGRP match access-group name SDM_EIGRP class-map type inspect match-any SDM_EIGRP_TRAFFIC match class-map SDM_EIGRP class-map type inspect match-all SDM_EIGRP_PT policy-map type inspect sdm-permit class type inspect SDM_EIGRP_PT pass class class-default drop
Use the zone security command to create a zone named IN-ZONE R3# zone security IN-ZONE Step 2. Step 2. Create an external zone Use the zone security command to create a zone named OUT-ZONE R3# zone security OUT-ZONE
Step 1. Create a pair of zones. Using the zone-pair security command, create a zone pair named IN-2-OUT-ZPAIR. Specify the source and destination zones that were created in Task 1. Step 2. Specify the policy map for handling the traffic between the two zones. Attach a policy-map and its associated actions to the zone pair using the service-policy type inspect command and reference the policy map previously created, IN-2-OUT-PMAP. zone-pair security IN-2-OUT-ZPAIR source IN-ZONE destination OUT-ZONE service-policy type inspect IN-2-OUT-PMAP Step 3. Assign interfaces to the appropriate security zones. Use the zone-member security command in interface config mode to assign Fa0/1 to IN-ZONE and S0/0/1 to OUT-ZONE. R3#(config)interface FastEthernet0/1 R3#(config-if)zone-member security IN-ZONE R3#(config)interface Serial0/0/1 R3#(config-if)zone-member security OUT-ZONE
Chapter 5 Lab A, Configuring an Intrusion Prevention System (IPS) Using the CLI and SDM
From http://www.cisco.com/pcgi-bin/tablebuild.pl/ios-v5sigup, download the following files: - IOS-Sxxx-CLI.pkg: This is the Signature package. - realm-cisco.pub.key.txt: This is the public crypto key used by IOS IPS.
Step 2: Configure the IPS Signature storage location in router flash memory.
R1(config)#ip ips config location flash:ipsdir
Step 6: Configure IOS IPS to use one of the pre-defined signature categories.
In the following example, all signatures in the all category are retired, and then the ios_ips basic category is unretired. R1(config)#ip ips signature-category R1(config-ips-category)#category all R1(config-ips-category-action)#retired true R1(config-ips-category-action)#exit R1(config-ips-category)#category ios_ips basic R1(config-ips-category-action)#retired false R1(config-ips-category-action)#exit R1(config-ips-category)#exit Do you want to accept these changes? [confirm] <Enter> Jan 6 01:32:37.983: Applying Category configuration to signatures ...
R1#dir flash:ipsdir Directory of flash:/ipsdir/ 16 -rw- 230621 Jan 6 2008 03:19:42 +00:00 R1-sigdef-default.xml 15 -rw- 255 Jan 6 2008 01:35:26 +00:00 R1-sigdef-delta.xml 14 -rw- 6632 Jan 6 2008 03:17:48 +00:00 R1-sigdef-typedef.xml 13 -rw- 28282 Jan 6 2008 03:17:52 +00:00 R1-sigdef-category.xml 10 -rw- 304 Jan 6 2008 01:35:28 +00:00 R1-seap-delta.xml 18 -rw- 491 Jan 6 2008 01:35:28 +00:00 R1-seap-typedef.xml
Step 2: Configure a privileged user for login from the SSH client.
S1(config)#username admin privilege 15 secret cisco12345
Step 4: Generate the RSA encryption key pair for the router.
S1(config)#crypto key generate rsa general-keys modulus 1024 The name for the keys will be: S1.ccnasecurity.com % The key modulus size is 1024 bits % Generating 1024 bit RSA keys, keys will be non-exportable...[OK] S1(config)# 00:15:36: %SSH-5-ENABLED: SSH 1.99 has been enabled
Step 3: Change the native VLAN for the trunk ports on S1 and S2.
S1(config)#interface Fa0/1 S1(config-if)#switchport trunk native vlan 99 S1(config-if)#end 02:16:28: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on FastEthernet0/1 (99), with S2 FastEthernet0/1 (1). S2(config)#interface Fa0/1 S2(config-if)#switchport trunk native vlan 99 S2(config-if)#end
Step 8: (Optional) Move active ports to a VLAN other than the default VLAN 1
S1(config)#vlan 20 S1(config-vlan)#name Users S1(config)#interface range fa0/5 - 6 S1(config-if)#switchport access vlan 20
Chapter 8 Lab A, Configuring a Site-to-Site VPN Using Cisco IOS and SDM
Step 4: Configure the EIGRP routing protocol on R1, R2, and R3.
R1(config)#router eigrp 101 R1(config-router)#network 192.168.1.0 0.0.0.255 R1(config-router)#network 10.1.1.0 0.0.0.3 R1(config-router)#no auto-summary R2(config)#router eigrp 101 R2(config-router)#network 10.1.1.0 0.0.0.3 R2(config-router)#network 10.2.2.0 0.0.0.3 R2(config-router)#no auto-summary R3(config)#router eigrp 101 R3(config-router)#network 192.168.3.0 0.0.0.255 R3(config-router)#network 10.2.2.0 0.0.0.3 R3(config-router)#no auto-summary
R1(config-isakmp)#hash sha R1(config-isakmp)#group 5 R1(config-isakmp)#lifetime 3600 R1(config-isakmp)#end R3(config)#crypto isakmp policy 10 R3(config-isakmp)#authentication pre-share R3(config-isakmp)#encryption aes 256 R3(config-isakmp)#hash sha R3(config-isakmp)#group 5 R3(config-isakmp)#lifetime 3600 R3(config-isakmp)#end R1#show crypto isakmp policy Global IKE policy Protection suite of priority 10 encryption algorithm: AES - Advanced Encryption Standard (256 bit keys). hash algorithm: Secure Hash Standard authentication method: Pre-Shared Key Diffie-Hellman group: #5 (1536 bit) lifetime: 3600 seconds, no volume limit
R1(config)#access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255 d. Configure the IPsec VPN interesting traffic ACL on R3. R3(config)#access-list 101 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
Peer = 10.2.2.1 Extended IP access list 101 access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255 Current peer: 10.2.2.1 Security association lifetime: 4608000 kilobytes/900 seconds PFS (Y/N): Y DH group: group5 Transform sets={ 50: { esp-256-aes esp-sha-hmac } , } Interfaces using crypto map MYMAP: Serial0/0/0 R3#show crypto map Crypto Map "CMAP" 10 ipsec-isakmp Peer = 10.1.1.1 Extended IP access list 101 access-list 101 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255 Current peer: 10.1.1.1 Security association lifetime: 4608000 kilobytes/900 seconds PFS (Y/N): Y DH group: group5 Transform sets={ 50: { esp-256-aes esp-sha-hmac } , } Interfaces using crypto map MYMAP: Serial0/0/1
Step 4: Generate some interesting test traffic and observe the results.
R1#show crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id slot status 10.2.2.1 10.1.1.1 QM_IDLE 1001 0 ACTIVE R1#show crypto ipsec sa interface: Serial0/0/0 Crypto map tag: CMAP, local addr 10.1.1.1 protected vrf: (none) local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0) current_peer 10.2.2.1 port 500 . . . replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xC1DD058(203280472) transform: esp-256-aes esp-sha-hmac , in use settings ={Tunnel, } conn id: 2006, flow_id: FPGA:6, crypto map: CMAP sa timing: remaining key lifetime (k/sec): (4485195/877) IV size: 16 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas:
Task 2: Create Network Equipment Security Guidelines to Supplement the Basic Security Policy (Chapter 9)
Technical Policies Supplement to Security Policies
Unless otherwise indicated, these policy guidelines apply to all primary network devices such as switches and routers.