Beruflich Dokumente
Kultur Dokumente
Major Concepts
Discuss the aspects of router hardening Configure secure administrative access and router resiliency Configure network devices for monitoring administrative access Demonstrate network monitoring techniques Secure IOS-based Routers using automated features
Lesson Objectives
Upon completion, the successful student will be able to:
1. 2.
3.
4. 5. 6. 7.
Describe how to configure a secure network perimeter Configure secure router administration access Describe and configure enhanced security for virtual logins Describe and configure an SSH daemon for secure remote management (use Putty client) Describe the purpose of and configure administrative privilege levels Configure the role-based CLI access feature to provide hierarchical administrative access Describe the factors to consider when securing the data that transmits over the network related to the network management and reporting of device activity
Lesson Objectives
7. 8. 9. 10.
11.
12.
Describe and configure syslog for network security (use Solarwinds syslog server on PC) Describe and configure SNMP for network security Describe and configure NTP to enable accurate time stamping between all devices Describe the router services, interfaces, and management services that are vulnerable to network attacks and perform a security audit Lock down a router using AutoSecure and know its purposes and limitations Lock down a router using CCP and know its purposes and limitations
Perimeter Implementations
Defense-in-depth Approach
R1 Internet
Firewall
LAN 1
192.168.2.0
DMZ Approach
LAN 1
192.168.2.0
last router between the internal network and an untrusted network such as the Internet Functions as the first and last line of defense Implements security actions based on the organizations security policies various perimeter router implementations Consider physical security, operating system security, and router hardening Secure administrative access Local versus remote router access
Router Configuration
Router Configuration
Banners
SSH Secure the IOS and configuration Password recovery Disabling password recovery
Secure Management
Change management Logging Out-of-band vs. in-band management Syslog SNMP NTP
Configuration
Logging to the console and terminal lines Setting up a syslog server Logging to a syslog server NTP server NTP client Disable unnecessary services CCP security audit
Cisco AutoSecure
Lab Tasks
Basic CCNA-level network configuration and cabling Encrypt all passwords Warning banner Enhanced username security Enhanced virtual login security SSH router as server and PC as client Role Views
Secure IOS and configuration files Router as NTP client and as NTP server Router as syslog client and PC as syslog server Router as SNMP client with trap reporting Cisco AutoSecure CCP Security Audit
Tasks
Set the dates for which the time changes in the timezone
We are in the Eastern timezone, which is 5 hours behind UTC # clock timezone ET -5
Daylight Saving Time in the United States begins at 2:00 a.m. on the second Sunday of March and ends at 2:00 a.m. on the first Sunday of November # clock summer-time ET recurring 2 Sunday March 2:00 1 Sunday November 2:00 # clock set 14:05:00 Jan 10 2011
For these devices, must copy the date and time to hardware clock, or else the device reverts to default time when it is rebooted #clock update-calendar There are other commands that operate between the hardware and software clock, but they are not necessary for this purpose.
Lab Day
Plan (continued)
Cable lab (assigned cable technician) Complete lab Parts and Tasks with these exceptions
Skip Part 4, Task 2, Step 3 (Configure NTP clients using CCP) Skip Part 4, Task 3, Step 5 (Configure syslog using CCP) When instructed to set the time, configure the timezone as instructed in class and in these slides.
Files and Information into springboard dropbox as instructed on the dropbox. One per team, submitted by the team leader. While only one is required, every student is expected to keep a copy of these files. Every student will submit the team evaluation survey on springboard.
Because you do not have a lot of time on lab day, many lab questions will need to be answered outside of class time.