Sie sind auf Seite 1von 7

PT Activity: Configure a Network for Secure Operation

Topology Diagram

Addressing Table
Device R1 R R) PC*A PC*, PC*C Interface FA0/1 S0/0/0 %&C'( S0/0/0 S0/0/1 %&C'( FA0/1 S0/0/1 N+C N+C N+C IP Address 19 !1"#!1!1 10!1!1!1 10!1!1! 10! ! ! 19 !1"#!)!1 10! ! !1 19 !1"#!1!$ 19 !1"#!1!" 19 !1"#!)!$ Subnet Mask $$! $$! $$! $$! $$! $$! $$! $$! $$! $$! $$! $$! $$! $$! $$! $$! $$! $$! $$!0 $$! $ $$! $ $$! $ $$!0 $$! $ $$!0 $$!0 $$!0 Default Gateway N/A N/A N/A N/A N/A N/A 19 !1"#!1!1 19 !1"#!1!1 19 !1"#!)!1 Switch Port S1 FA0/$ N/A N/A N/A S) FA0/$ N/A S1 FA0/" S FA0/1# S) FA0/"

A-- content. are Copyrig/t 0 199 1 01 Ci.co Sy.te2.3 +nc! A-- rig/t. re.erve4! T/i. 4ocu2ent i. Ci.co Pu5-ic +nfor2ation!

Page 1 of 6

CCNA Security

earning !b"ectives
Secure t/e router. wit/ .trong pa..wor4.3 pa..wor4 encryption an4 a -ogin 5anner! Secure t/e con.o-e an4 7T8 -ine. wit/ pa..wor4.! Configure -oca- AAA aut/entication! Configure SS9 .erver! Configure router for .y.-og! Configure router for NTP! Secure t/e router again.t -ogin attack.! Configure C,AC an4 :PF firewa--.! Secure network .witc/e.!

Introduction
+n t/i. co2pre/en.ive practice activity3 you wi-- app-y a co25ination of .ecurity 2ea.ure. t/at were intro4uce4 in t/e cour.e! T/e.e 2ea.ure. are -i.te4 in t/e o5;ective.! +n t/e topo-ogy3 R1 i. t/e e4ge outer for t/e Co2pany A w/i-e R) i. t/e e4ge router for Co2pany ,! T/e.e network. are interconnecte4 via t/e R router w/ic/ repre.ent. t/e +SP! 8ou wi-- configure variou. .ecurity feature. on t/e router. an4 .witc/e. for Co2pany A an4 Co2pany ,! Not a-- .ecurity feature. wi-- 5e configure4 on R1 an4 R)! T/e fo--owing preconfiguration. /ave 5een 2a4e: 9o.tna2e. on a-- 4evice. +P a44re..e. on a-- 4evice. R con.o-e pa..wor4: ci.coconpa$$ R pa..wor4 on 7T8 -ine.: ci.covtypa$$ R ena5-e pa..wor4: ci.coenpa$$ Static routing Sy.-og .ervice. on PC*, &NS -ookup /a. 5een 4i.a5-e4 +P 4efau-t gateway. for a-- .witc/e.

Task #$

Test %onnectivity and &erify %onfigurations

Step 1. Verify IP addresses. Step 2. Verify routing tables. Step 3. Test connectivity. Fro2 PC*A3 ping PC*C at +P a44re.. 19 !1"#!)!$!

Task '$

Secure the (outers


of 1! c aracters on router "1 and "3.

Step 4. Set minimum a password lengt

Step #. $onfigure an enable secret password on router "1 and "3. <.e an ena5-e .ecret pa..wor4 of ciscoenpa))!

A-- content. are Copyrig/t 0 199 1 01 Ci.co Sy.te2.3 +nc! A-- rig/t. re.erve4! T/i. 4ocu2ent i. Ci.co Pu5-ic +nfor2ation!

Page

of 6

CCNA Security Step %. &ncrypt plainte't passwords. Step (. $onfigure t e console lines on "1 and "3. Configure a con.o-e pa..wor4 of ciscoconpa)) an4 ena5-e -ogin! Set t/e exec-timeout to -og out after ) 2inute. of inactivity! Prevent con.o-e 2e..age. fro2 interrupting co22an4 entry! Step ). $onfigure vty lines on "1. Configure a vty -ine pa..wor4 of ciscovtypa)) an4 ena5-e -ogin! Set t/e exec-timeout to -og out after ) 2inute. of inactivity! Set t/e -ogin aut/entication to u.e t/e 4efau-t AAA -i.t to 5e 4efine4 -ater! *ote$ T/e vty -ine. on R) wi-- 5e configure4 for SS9 in a -ater ta.k! Step *. $onfigure login banner on "1 and "3. Configure a warning to unaut/ori=e4 u.er. wit/ a 2e..age*of*t/e*4ay %>OT&( 5anner t/at .ay.: ?No <naut/ori=e4 Access!

Task +$

%onfigure ocal Authentication on (# and (+


$onfigure t e local user database.

Step 1!.

Create a -oca- u.er account of Admin,# wit/ a .ecret pa..wor4 of Admin,#pa))! Step 11. Step 12. &nable +++ services. Implement +++ services using t e local database.

Create t/e 4efau-t -ogin aut/entication 2et/o4 -i.t u.ing -oca- aut/entication wit/ no 5ackup 2et/o4!

Task -$

%onfigure *TP
&nable ,TP aut entication on P$-+.

Step 13.

On PC*A3 c/oo.e t/e %onfig ta53 an4 t/en t/e *TP 5utton! Se-ect !n for NTP .ervice! .nable aut/entication an4 enter a @ey of # an4 a pa..wor4 of ciscontppa))! Step 14. $onfigure "1 as an ,TP $lient.

Configure NTP aut/entication @ey # wit/ a pa..wor4 of ciscontppa))! Configure R1 to .ync/roni=e wit/ t/e NTP .erver an4 aut/enticate u.ing @ey #! Step 1#. $onfigure routers to update ardware cloc..

Configure router. to perio4ica--y up4ate t/e /ar4ware c-ock wit/ t/e ti2e -earne4 fro2 NTP!

Task )$

%onfigure (# as Syslog %lient


$onfigure "1 to timestamp log messages.

Step 1%.

Configure ti2e.ta2p .ervice for -ogging on t/e router.! Step 1(. $onfigure "1 to log messages to t e syslog server.

Configure t/e router. to i4entify t/e re2ote /o.t %.y.-og .erver( t/at wi-- receive -ogging 2e..age.! 8ou ./ou-4 .ee a con.o-e 2e..age .i2i-ar to t/e fo--owing: SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 192.168.1.6 port - %LI initi"t#$ 1! st"rt#$

A-- content. are Copyrig/t 0 199 1 01 Ci.co Sy.te2.3 +nc! A-- rig/t. re.erve4! T/i. 4ocu2ent i. Ci.co Pu5-ic +nfor2ation!

Page ) of 6

CCNA Security Step 1). $ ec. for syslog messages on P$-/.

On R13 eAit config 2o4e to generate a .y.-og 2e..age! Open t/e .y.-og .erver on PC*, to view t/e 2e..age .ent fro2 R1! 8ou ./ou-4 .ee a 2e..age .i2i-ar to t/e fo--owing on t/e .y.-og .erver: &SYS- -%ON'IG_I: %on(ig)r#$ (ro* +onso,# -. +onso,#

Task /$

Secure (outer Against ogin Attacks


0og unsuccessful login attempts to "1. Telnet to "1 from P$-+.

Step 1*. Step 2!.

Te-net fro2 PC*A to R1 an4 provi4e t/e u.erna2e Admin,# an4 pa..wor4 Admin,#pa))! T/e Te-net ./ou-4 5e .ucce..fu-! Step 21. Telnet to "1 from P$-+ and c ec. syslog messages on t e syslog server.

'Ait fro2 t/e current Te-net .e..ion an4 Te-net again to R1 u.ing t/e u.erna2e of baduser an4 any pa..wor4! C/eck t/e .y.-og .erver on PC*,! 8ou ./ou-4 .ee an error 2e..age .i2i-ar to t/e fo--owing t/at i. generate4 5y t/e fai-e4 -ogin atte2pt! S/%_LOGIN-!-LOGIN_'AIL/0:Login ("i,#$ 1)s#r:-"$)s#r2 1So)r+#:192.168.1. 2 1,o+",port:232 1R#"son:In4",i$ ,ogin2 "t 1 :51:23 6T% 7#$ 8)n# 19 2559

Task 0$

%onfigure SS1 on (+
$onfigure a domain name.

Step 22.

Configure a 4o2ain na2e of ccnasecurity2com on R)! Step 23. $onfigure t e incoming vty lines on "3.

<.e t/e -oca- u.er account. for 2an4atory -ogin an4 va-i4ation an4 accept on-y SS9 connection.! Step 24. $onfigure "S+ encryption .ey pair for "3.

Any eAi.ting RSA key pair. ./ou-4 5e era.e4 on t/e router! +f t/ere are no key. current-y configure4 a 2e..age wi-- 5e 4i.p-aye4 in4icating t/i.! Configure t/e RSA key. wit/ a 2o4u-u. of 10 B! Step 2#. $onfigure SS1 timeouts and aut entication parameters.

Set t/e SS9 ti2eout to 3, .econ4.3 t/e nu25er of aut/entication retrie. to '3 an4 t/e ver.ion to '!

Task 4$

%onfigure %5A% on (#
$onfigure a named IP +$0.

Step 2%.

Create an +P ACC na2e4 !6T7I* to 5-ock a-- traffic originating fro2 t/e out.i4e network! App-y t/e acce.. -i.t to inco2ing traffic on interface Seria- 0/0/0! Step 2(. Step 3. $onfirm t at traffic entering interface Serial !2!2! is dropped.

Fro2 t/e PC*A co22an4 pro2pt3 ping PC*C! T/e +C>P ec/o rep-ie. are 5-ocke4 5y t/e ACC! Step 2). $reate an inspection rule to inspect I$3P4 Telnet and 1TTP traffic.

Create an in.pection ru-e na2e4 I*7!6T7I* to in.pect I%MP3 Telnet an4 1TTP traffic!

A-- content. are Copyrig/t 0 199 1 01 Ci.co Sy.te2.3 +nc! A-- rig/t. re.erve4! T/i. 4ocu2ent i. Ci.co Pu5-ic +nfor2ation!

Page B of 6

CCNA Security Step 2*. +pply t e inspect rule to t e outside interface.

App-y t/e +N*O<T*+N in.pection ru-e to t/e interface w/ere traffic eAit. to out.i4e network.! Step 3!. Test operation of t e inspection rule.

Fro2 t/e PC*A co22an4 pro2pt3 ping PC*C! T/e +C>P ec/o rep-ie. ./ou-4 5e in.pecte4 an4 a--owe4 t/roug/!

Task 3$

%onfigure 8P9 on (+
Test connectivity. Fro2 PC*C3 te.t connectivity wit/ ping an4 Te-net to R D a-- ./ou-4 5e .ucce..fu-! Fro2 R ping to PC*C! T/e ping. ./ou-4 5e a--owe4! $reate t e firewall 5ones.

Step 31. Step 32.

7erify t/at t/e interna- /o.t can acce.. eAterna- re.ource.!

Create an interna- =one na2e4 I*78!*.! Create an eAterna- =one na2e4 !6T78!*.! Step 33. $reate an +$0 t at defines internal traffic.

Create an eAten4e43 nu25ere4 ACC t/at per2it. a-- +P protoco-. fro2 t/e 19 !1"#!)!0/ B .ource network to any 4e.tination! <.e #,# for t/e ACC nu25er! Step 34. $reate a class map referencing t e internal traffic +$0.

Create a c-a.. 2ap na2e4 I*7*.T7% ASS7MAP to 2atc/ ACC 101! Step 3#. Specify firewall policies.

Create a po-icy 2ap na2e4 I*7'7!6T7PMAP to 4eter2ine w/at to 4o wit/ 2atc/e4 traffic! Specify a c-a.. type of inspect an4 reference c-a.. 2ap I*7*.T7% ASS7MAP! Specify t/e action of inspect for t/i. po-icy 2ap! 8ou ./ou-4 .ee t/e fo--owing con.o-e 2e..age: &No sp#+i(i+ proto+o, +on(ig)r#$ in +,"ss IN-N/T-%LASS-:AP (or insp#+tion. A,, proto+o,s ;i,, -# insp#+t#$. 'Ait to t/e g-o5a- config pro2pt! Step 3%. +pply firewall policies.

Create a =one pair na2e4 I*7'7!6T78PAI(! Specify t/e .ource an4 4e.tination =one. t/at were create4 ear-ier! Attac/ a po-icy 2ap an4 action. to t/e =one pair referencing t/e po-icy 2ap previou.-y create43 I*7'7!6T7 PMAP! 'Ait to t/e g-o5a- config pro2pt an4 a..ign t/e interna- an4 eAterna- interface. to t/e .ecurity =one.! Step 3(. Test firewall functionality. Fro2 PC*C3 te.t connectivity wit/ ping an4 Te-net to R D a-- ./ou-4 5e .ucce..fu-! Fro2 R ping to PC*C! T/e ping. ./ou-4 now 5e 5-ocke4!

7erify t/at t/e interna- /o.t can .ti-- acce.. eAterna- re.ource.!

A-- content. are Copyrig/t 0 199 1 01 Ci.co Sy.te2.3 +nc! A-- rig/t. re.erve4! T/i. 4ocu2ent i. Ci.co Pu5-ic +nfor2ation!

Page $ of 6

CCNA Security

Task #,$ Secure the Switches


Step 3). $onfigure an enable secret password on all switc es.

<.e an ena5-e .ecret pa..wor4 of ciscoenpa))! Step 3*. Step 4!. &ncrypt plainte't passwords. $onfigure t e console lines on all switc es.

Configure a con.o-e pa..wor4 of ciscoconpa)) an4 ena5-e -ogin! Set t/e exec-timeout to -og out after ) 2inute. of inactivity! Prevent con.o-e 2e..age. fro2 interrupting co22an4 entry! Step 41. $onfigure vty lines on all switc es.

Configure a vty -ine pa..wor4 of ciscovtypa)) an4 ena5-e -ogin! Set t/e exec-timeout to -og out after ) 2inute. of inactivity! Set t/e 5a.ic -ogin para2eter! Step 42. Secure trun. ports on S1 and S2.

Configure port Fa0/1 on S1 a. a trunk port! Configure port Fa0/1 on S a. a trunk port! 7erify t/at S1 port Fa0/1 i. in trunking 2o4e! Set t/e native 7CAN on S1 an4 S trunk port. to an unu.e4 7CAN 99! Set t/e trunk port. on S1 an4 S .o t/at t/ey 4o not negotiate 5y turning off t/e generation of &TP fra2e.! 'na5-e .tor2 contro- for 5roa4ca.t. on t/e S1 an4 S trunk port. wit/ a $0 percent ri.ing .uppre..ion -eve-! Step 43. Secure access ports.

&i.a5-e trunking on S13 S an4 S) acce.. port.! 'na5-e PortFa.t on S13 S 3 an4 S) acce.. port.! 'na5-e ,P&< guar4 on t/e .witc/ port. previou.-y configure4 a. acce.. on-y! 'na5-e 5a.ic 4efau-t port .ecurity on a-- en4*u.er acce.. port. t/at are in u.e! <.e t/e .ticky option! Re*ena5-e eac/ acce.. port to w/ic/ port .ecurity wa. app-ie4! &i.a5-e any port. not 5eing u.e4 on eac/ .witc/!

Task ##$ &erification


Step 44. Test SS1 configuration.

Atte2pt to connect to R) via Te-net fro2 PC*C! Fro2 PC*C3 enter t/e co22an4 to connect to R) via Te-net at +P a44re.. 19 !1"#!)!1! T/i. connection ./ou-4 fai-3 .ince R) /a. 5een configure4 to accept on-y SS9 connection. on t/e virtuater2ina- -ine.! Fro2 PC*C3 enter t/e ssh :l Admin,# #3'2#/42+2# co22an4 to connect to R) via SS9! E/en pro2pte4 for t/e pa..wor43 enter t/e pa..wor4 Admin,#pa)) configure4 for t/e -oca- a42ini.trator! <.e t/e show ip ssh co22an4 to .ee t/e configure4 .etting.!

A-- content. are Copyrig/t 0 199 1 01 Ci.co Sy.te2.3 +nc! A-- rig/t. re.erve4! T/i. 4ocu2ent i. Ci.co Pu5-ic +nfor2ation!

Page " of 6

CCNA Security Step 4#. Step 4%. Step 4(. Step 4). Verify timestamps4 ,TP status for "1 and P$-+. Test $/+$ firewall on "1. Ping fro2 PC*A to R at 10! ! ! %./ou-4 .uccee4(! Te-net fro2 PC*A to R 10! ! ! %./ou-4 .uccee4(! Ping fro2 R to PC*A at 19 !1"#!1!) %./ou-4 fai-(! Test 6P7 firewall on "3. Ping fro2 PC*C to R at 10! ! ! %./ou-4 .uccee4(! Te-net fro2 PC*C to R at 10! ! ! %./ou-4 .uccee4(! Ping fro2 R to PC*C at 19 !1"#!)!$ %./ou-4 fai-(! Te-net fro2 R to R) at 10! ! !1 %./ou-4 fai- 1 on-y SS9 i. a--owe4(! Verify port security.

On S 3 u.e t/e show run co22an4 to confir2 t/at S /a. a44e4 a .ticky >AC a44re.. for Fa0/1#! T/i. ./ou-4 5e t/e >AC a44re.. of PC*,! Recor4 t/e >AC a44re.. for -ater u.e! Se-ect PC*,! Fo to t/e %onfig ta5! Se-ect 9ast.thernet un4er t/e +nterface .ection! '4it t/e >AC a44re.. fie-4! T/i. ./ou-4 cau.e a port .ecurity vio-ation an4 S ./ou-4 ./ut 4own port Fa0/1#! <.e t/e show interface 9a,;#4 co22an4 to view t/e .tatu. of t/e port! T/e port ./ou-4 5e in t/e err* 4i.a5-e4 .tate! On PC*,3 go to t/e %onfig ta5! Se-ect 9ast.thernet un4er t/e +nterface .ection! C/ange t/e >AC a44re.. to anot/er a44re..! Fro2 interface configuration 2o4e on .witc/ S for Fa0/1#3 u.e t/e no switchport port7security mac7 address sticky address co22an4 to re2ove t/e origina- PC*, -earne4 a44re..! S/ut4own an4 t/en re*ena5-e t/e Fa0/1# interface! On S 3 u.e t/e show run co22an4 to confir2 t/at t/e port co2e. up an4 t/at t/e new >AC a44re.. /a. 5een -earne4! *ote$ +f it i. 4e.ire4 to reconnect t/e PC wit/ t/e origina- >AC a44re..3 you can .i2p-y c/ange t/e >AC a44re.. on t/e PC 5ack to t/e origina- one an4 i..ue t/e shutdown an4 no shut down co22an4. on port Fa0/1#! +f t/e PC or a N+C i. 5eing rep-ace4 an4 wi-- /ave a new >AC a44re..3 you 2u.t fir.t re2ove t/e o-4 -earne4 a44re..! Step 4*. $ ec. results.

8our co2p-etion percentage ./ou-4 5e 100G! C-ick %heck (esults to .ee fee45ack an4 verification of w/ic/ reHuire4 co2ponent. /ave 5een co2p-ete4!

A-- content. are Copyrig/t 0 199 1 01 Ci.co Sy.te2.3 +nc! A-- rig/t. re.erve4! T/i. 4ocu2ent i. Ci.co Pu5-ic +nfor2ation!

Page 6 of 6