<<

. 2
( 9)



>>

b. To set the time on the router, use the clock set time command.
R2#clock set 20:12:00 Dec 17 2008
R2#
*Dec 17 20:12:18.000: %SYS-6-CLOCKUPDATE: System clock has been updated
from 01:20:26 UTC Mon Dec 15 2008 to 20:12:00 UTC Wed Dec 17 2008,
configured from console by admin on console.
c. Configure R2 as the NTP master using the ntp master stratum-number command in global
configuration mode. The stratum number indicates the distance from the original source. For this lab, use
a stratum number of 3 on R2. When a device learns the time from an NTP source, its stratum number
becomes one greater than the stratum number of its source.
R2(config)#ntp master 3

Step 2: Configure R1 and R3 as NTP clients using the CLI.
a. R1 and R3 will become NTP clients of R2. To configure R1, use the global configuration command
ntp server hostname. The host name can also be an IP address. The command ntp update-
calendar periodically updates the calendar with the NTP time.
R1(config)#ntp server 10.1.1.2
R1(config)#ntp update-calendar
b. Verify that R1 has made an association with R2 with the show ntp associations command. You
can also use the more verbose version of the command by adding the detail argument. It might take
some time for the NTP association to form.
R1#show ntp associations

address ref clock st when poll reach delay offset disp
˜10.1.1.2 127.127.1.1 3 14 64 3 0.000 -280073 3939.7
*sys.peer, #selected, +candidate, -outlyer, x falseticker, ˜ configured
c. Issue the debug ntp all command to see NTP activity on R1 as it synchronizes with R2.
R1#debug ntp all
NTP events debugging is on
NTP core messages debugging is on
NTP clock adjustments debugging is on
NTP reference clocks debugging is on
NTP packets debugging is on

Dec 17 20.12:18.554: NTP message sent to 10.1.1.2, from interface
'Serial0/0/0' (10.1.1.1).
Dec 17 20.12:18.574: NTP message received from 10.1.1.2 on interface
'Serial0/0/0' (10.1.1.1).
Dec 17 20:12:18.574: NTP Core(DEBUG): ntp_receive: message received


24
Dec 17 20:12:18.574: NTP Core(DEBUG): ntp_receive: peer is 0x645A3120,
next action is 1.
Dec 17 20:12:18.574: NTP Core(DEBUG): receive: packet given to
process_packet
Dec 17 20:12:18.578: NTP Core(INFO): system event 'event_peer/strat_chg'
(0x04)
status 'sync_alarm, sync_ntp, 5 events, event_clock_reset' (0xC655)
Dec 17 20:12:18.578: NTP Core(INFO): synchronized to 10.1.1.2, stratum 3
Dec 17 20:12:18.578: NTP Core(INFO): system event 'event_sync_chg' (0x03)
status
'leap_none, sync_ntp, 6 events, event_peer/strat_chg' (0x664)
Dec 17 20:12:18.578: NTP Core(NOTICE): Clock is synchronized.
Dec 17 20:12:18.578: NTP Core(INFO): system event 'event_peer/strat_chg'
(0x04)
status 'leap_none, sync_ntp, 7 events, event_sync_chg' (0x673)
Dec 17 20:12:23.554: NTP: Calendar updated.
d. Issue the undebug all or the no debug ntp all command to turn off debugging.
R1#undebug all
e. Verify the time on R1 after it has made an association with R2.
R1#show clock
*20:12:24.859 UTC Wed Dec 17 2008

Step 3: (Optional) Configure R1 and R3 as NTP clients using SDM.

You can also use SDM to configure the router to support NTP. If you configured R1 as an NTP client using
Cisco IOS commands in Step 2, you can skip this step, but read through it to become familiar with the
process. If you configured R1 and R3 as NTP clients using Cisco IOS commands in Step 2 you can still
perform this step but you need to issue the following commands first on each router.
R1(config)#no ntp server 10.1.1.2
R1(config)#no ntp update-calendar
a. From the CLI, enable the http server on R1.
R1(config)#ip http server
b. Open a browser window on PC-A and start SDM by entering the R1 IP address 192.168.1.1 in the
address field. Log in as admin with password cisco12345.

c. To configure SDM to allow you to preview the commands before sending them to the router, select Edit
> Preferences.

d. In the User Preferences window, select Preview commands before delivering to router and click
OK.

e. To configure an NTP server, click the Configure button and select Additional Tasks > Router
Properties > NTP/SNTP. Click Add.




25
f. In the NTP Server IP Address field, enter the IP address of the R2 master NTP router (10.1.1.2) and
click OK.

g. In the Deliver Configuration to Router window, make sure that the Save running config to router™s
startup config check box is checked and click Deliver.

h. Click OK in the Commands Delivery Status window.

i. Open a console connection to the router, and verify the associations and time on R1 after it has made
an association with R2. It might take some time for the NTP association to form.
R1#show ntp associations

address ref clock st when poll reach delay offset disp
˜10.1.1.2 127.127.1.1 3 14 64 3 0.000 -280073 3939.7
*sys.peer, #selected, +candidate, -outlyer, x falseticker, ˜ configured

R1#show clock
*20:12:24.859 UTC Wed Dec 17 2008




26
Task 3. Configure syslog Support on R1 and PC-A

Step 1: Install the syslog server.

The Kiwi Syslog Daemon is a dedicated syslog server. Another application is Tftpd32, which includes a TFTP
server, TFTP client, and a syslog server and viewer. You can use either with this lab. Both are available as a
free version and run with Microsoft Windows.

If a syslog server is not currently installed on the host, download the latest version of Kiwi from
http://www.kiwisyslog.com or Tftpd32 from http://tftpd32.jounin.net and install it on your desktop. If it is already
installed, go to Step 2.

Note: This lab uses the Kiwi syslog server.


Step 2: Configure R1 to log messages to the syslog server using the CLI.

a. Verify that you have connectivity between R1 and the host by pinging the R1 Fa0/1 interface IP
address 192.168.1.1. If it is not successful, troubleshoot as necessary before continuing.

b. NTP was configured in Task 2 to synchronize the time on the network. Displaying the correct time and
date in syslog messages is vital when using syslog to monitor a network. If the correct time and date of a
message is not known, it can be difficult to determine what network event caused the message.

Verify that the timestamp service for logging is enabled on the router using the show run command.
Use the following command if the timestamp service is not enabled.
R1(config)#service timestamps log datetime msec
c. Configure the syslog service on the router to send syslog messages to the syslog server.
R1(config)#logging 192.168.1.3

Step 3: Configure the logging severity level on R1.

Logging traps can be set to support the logging function. A trap is a threshold that when reached triggers a
log message. The level of logging messages can be adjusted to allow the administrator to determine what
kinds of messages are sent to the syslog server. Routers support different levels of logging. The eight levels
range from 0 (emergencies), indicating that the system is unstable, to 7 (debugging), which sends messages
that include router information.

Note: The default level for syslog is 6, informational logging. The default for console and monitor logging is 7,
debugging.

a. Use the logging trap command to determine the options for the command and the various trap
levels available.
R1(config)#logging trap ?
<0-7> Logging severity level
alerts Immediate action needed (severity=1)
critical Critical conditions (severity=2)
debugging Debugging messages (severity=7)
emergencies System is unusable (severity=0)
errors Error conditions (severity=3)
informational Informational messages (severity=6)
notifications Normal but significant conditions (severity=5)
warnings Warning conditions (severity=4)
<cr>


27
b. Define the level of severity for messages sent to the syslog server. To configure the severity levels,
use either the keyword or the severity level number (0“7).
Severity Level Keyword Description
Severity level Keyword Meaning
0 emergencies System unusable
1 alerts Immediate action required
2 critical Critical conditions
3 errors Error conditions
4 warnings Warning conditions
5 notifications Normal but significant condition
6 informational Informational messages
7 debugging Debugging messages
Note: The severity level includes the level specified and anything with a lower severity number. If you
set the level to 4 or use the keyword warnings, you capture messages with severity level 4, 3, 2, 1,
and 0.

c. Use the logging trap command to set the severity level for R1.
R1(config)#logging trap warnings
d. What is the problem with setting the level of severity too high or too low?
____________________________________________________________________________________
____________________________________________________________________________________
________________________________________________________________________

e. If the command logging trap critical were issued, which severity levels of messages would be
logged? _______________________________________________________________________


Step 4: Display the current status of logging for R1.

a. Use the show logging command to see the type and level of logging enabled.
R1#show logging
Syslog logging: enabled (0 messages dropped, 1 messages rate-limited,
0 flushes, 0 overruns, xml disabled, filtering
disabled)

No Active Message Discriminator.
No Inactive Message Discriminator.

Console logging: level debugging, 271 messages logged, xml
disabled,
filtering disabled
Monitor logging: level debugging, 0 messages logged, xml disabled,
filtering disabled
Buffer logging: disabled, xml disabled,
filtering disabled
Logging Exception size (4096 bytes)
Count and timestamp logging messages: disabled
Persistent logging: disabled

No active filter modules.

ESM: 0 messages dropped

Trap logging: level warnings, 0 message lines logged
Logging to 192.168.1.3 (udp port 514, audit disabled,

28
authentication disabled, encryption disabled, link up),
0 message lines logged,
0 message lines rate-limited,
0 message lines dropped-by-MD,
xml disabled, sequence number disabled
filtering disabled
b. At what level is console logging enabled? ____________________________________________

c. At what level is trap logging enabled? _______________________________________________

d. What is the IP address of the syslog server? __________________________________________

e. What port is syslog using? ________________________________________________________


Step 5: (Optional) Configure R1 to log messages to the syslog server using SDM.

You can also use SDM to configure the router for syslog support. If you configured R1 for syslog and trap
levels previously, you can skip this step. If you configured R1 syslog and trap levels using Cisco IOS
commands in Step 4 you can still perform this step but you need to issue the following commands first on the
router:
R1(config)#no logging 192.168.1.3
R1(config)#no logging trap warnings
a. Open a browser on PC-A, and start SDM by entering the R1 IP address 192.168.1.1 in the address
field. Log in as admin with password cisco12345.

b. Select Configure > Additional Tasks > Router Properties > Logging, and double-click Syslog.

c. In the Logging window, click Add and enter the IP address of the syslog server, PC-A (192.168.1.3).
Click OK.

d. From the Logging Level drop-down menu, select the logging level of Warnings (4).

e. Deselect Logging Buffer, and then click OK.

f. Click Yes in the SDM Warning dialog box.

g. In the Deliver Configuration to Router window, click Deliver. Click OK in the Commands Delivery Status
window.

h. Click Save on the toolbar. Click Yes in the SDM Write to Startup Config Warning window.




29
Step 6: Start the Kiwi Syslog Server.

Open the Kiki Syslog Daemon application on your desktop or click the Start button and select Programs >
Kiwi Enterprises > Kiwi Syslog Daemon.




30
Step 7: Verify that logging to the syslog server is occurring.

On the syslog server host PC-A, observe messages as they are sent from R1 to the syslog server.

a. Send a test log message to the kiwi syslog server by choosing File > Send test message to local
host.

b. Generate a logging message by shutting down the Serial0/0/0 interface on R1 or R2 and then re-
enabling it.
R1(config)#interface S0/0/0
R1(config-if)#shutdown
R1(config-if)#no shutdown
The Kiwi syslog screen should look similar to the following one.




c. What would happen if you were shut down the Fa0/1 interface on R1 (do not actually perform this
action)? ________________________________________________________________________

d. From the R1 global configuration mode, enable the logging of user info when enabling privileged mode
and reset the trap level to informational.
R1(config)#logging userinfo
R1(config)#logging trap informational
e. On the Kiwi Syslog Daemon, click View > Clear Display to clear the log display.

f. Exit to the login screen, and enable the admin1 view that you created in Part 3 of this lab. Enter the
password admin1pass.
R1>enable view admin1
Password:
Note: You can enable the desired view from the user EXEC prompt. This allows different users to login
without having to know the privileged EXEC mode enable secret password.

g. Exit to the login screen again, and enable the admin1 view. This time enter the password incorrectly.
What message was displayed on the syslog server?
R1>enable view admin1
Password:

31
Your screen should look similar to the following one.




Part 5. Configure Automated Security Features
In Part 5 of this lab, you will:

Restore routers R1 and R3 to their basic configuration.

Use AutoSecure to secure R3.

Use the SDM Security Audit tool on router R1 to identify security risks.

Fix security problems on R1 using the Security Audit tool.

Review router security configurations with SDM and the CLI.


Task 1. Restore Router R3 to Its Basic Configuration
To avoid confusion as to what was already entered and what AutoSecure provides for the router
configuration, start by restoring router R3 to its basic configuration.


Step 1: Erase and reload the router.

a. Connect to the R3 console and login as admin.

b. Enter privileged EXEC mode.

c. Erase the startup config and then reload the router.


Step 2: Restore the basic configuration.

a. When the router restarts, restore the basic configuration for R3 that was created and saved in Part 1 of
this lab.

b. Issue the show run command to view the current running configuration. Are there any security related
commands? _______________________________________________________________



32
c. Test connectivity by pinging from host PC-A on the R1 LAN to PC-C on the R3 LAN. If the pings are
not successful, troubleshoot the router and PC configurations until they are.

d. Save the running config to the startup config using the copy run start command.


Task 2. Use AutoSecure to Secure R3
By using a single command in CLI mode, the AutoSecure feature allows you to disable common IP services
that can be exploited for network attacks and enable IP services and features that can aid in the defense of a
network when under attack. AutoSecure simplifies the security configuration of a router and hardens the
router configuration.


Step 1: Use the AutoSecure Cisco IOS feature.

a. Enter privileged EXEC mode using the enable command.

b. Issue the auto secure command on R3 to lock down the router. Router R2 represents an ISP router, so
assume that R3 S0/0/1 is connected to the Internet when prompted by the AutoSecure questions. Respond to
the AutoSecure questions as shown in the following output. The responses are bolded.
R3#auto secure
--- AutoSecure Configuration ---

*** AutoSecure configuration enhances the security of the router, but it will
not make it absolutely resistant to all security attacks ***

AutoSecure will modify the configuration of your device. All configuration
changes will be shown. For a detailed explanation of how the configuration
changes enhance security and any possible side effects, please refer to
Cisco.com for
Autosecure documentation.
At any prompt you may enter '?' for help.
Use ctrl-c to abort this session at any prompt.

Gathering information about the router for AutoSecure

Is this router connected to internet? [no]: yes
Enter the number of interfaces facing the internet [1]: Press ENTER to
accept the default of 1 in square brackets.



Interface IP-Address OK? Method Status Protocol

FastEthernet0/0 unassigned YES NVRAM administratively down down

FastEthernet0/1 192.168.3.1 YES NVRAM up up

Serial0/0/0 unassigned YES NVRAM administratively down down

Serial0/0/1 10.2.2.1 YES NVRAM up up



Enter the interface name that is facing the internet: serial0/0/1


33
Securing Management plane services...

Disabling service finger
Disabling service pad
Disabling udp & tcp small servers
Enabling service password encryption
Enabling service tcp-keepalives-in
Enabling service tcp-keepalives-out
Disabling the cdp protocol

Disabling the bootp server
Disabling the http server
Disabling the finger service
Disabling source routing
Disabling gratuitous arp

Here is a sample Security Banner to be shown
at every access to device. Modify it to suit your
enterprise requirements.

Authorized Access only
This system is the property of So-&-So-Enterprise.
UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.
You must have explicit permission to access this
device. All activities performed on this device
are logged. Any violations of access policy will result
in disciplinary action.

Enter the security banner {Put the banner between
k and k, where k is any character}:

# Unauthorized Access Prohibited #

Enable secret is either not configured or
is the same as enable password
Enter the new enable secret: cisco12345
Confirm the enable secret : cisco12345
Enter the new enable password: cisco67890
Confirm the enable password: cisco67890

Configuration of local user database
Enter the username: admin
Enter the password: cisco12345
Confirm the password: cisco12345
Configuring AAA local authentication
Configuring Console, Aux and VTY lines for
local authentication, exec-timeout, and transport
Securing device against Login Attacks
Configure the following parameters

Blocking Period when Login Attack detected: 60

Maximum Login failures with the device: 2

Maximum time period for crossing the failed login attempts: 30

Configure SSH server? [yes]: Press ENTER to accept the default of yes

34
Enter the domain-name: ccnasecurity.com

Configuring interface specific AutoSecure services
Disabling the following ip services on all interfaces:

no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
Disabling mop on Ethernet interfaces

Securing Forwarding plane services...

Enabling CEF (This might impact the memory requirements for your platform)
Enabling unicast rpf on all interfaces connected
to internet

Configure CBAC Firewall feature? [yes/no]: no
Tcp intercept feature is used prevent tcp syn attack
on the servers in the network. Create autosec_tcp_intercept_list
to form the list of servers to which the tcp traffic is to
be observed


Enable tcp intercept feature? [yes/no]: yes

This is the configuration generated:

no service finger
no service pad
no service udp-small-servers
no service tcp-small-servers
service password-encryption
service tcp-keepalives-in
service tcp-keepalives-out
no cdp run
no ip bootp server
no ip http server
no ip finger
no ip source-route
no ip gratuitous-arps
no ip identd
banner motd ^C Unauthorized Access Prohibited ^C
security passwords min-length 6
security authentication failure rate 10 log
enable secret 5 $1$FmV1$.xZUegmNYFJwJv/oFwwvG1
enable password 7 045802150C2E181B5F
username admin password 7 01100F175804575D72
aaa new-model
aaa authentication login local_auth local
line con 0
login authentication local_auth
exec-timeout 5 0
transport output telnet
line aux 0
login authentication local_auth

35
exec-timeout 10 0
transport output telnet
line vty 0 4
login authentication local_auth
transport input telnet
line tty 1
login authentication local_auth
exec-timeout 15 0
login block-for 60 attempts 2 within 30
ip domain-name ccnasecurity.com
crypto key generate rsa general-keys modulus 1024
ip ssh time-out 60
ip ssh authentication-retries 2
line vty 0 4
transport input ssh telnet
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
logging facility local2
logging trap debugging
service sequence-numbers
logging console critical
logging buffered
interface FastEthernet0/0
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
no mop enabled
interface FastEthernet0/1
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
no mop enabled
interface Serial0/0/0
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
interface Serial0/0/1
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
interface Vlan1
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
no mop enabled
ip cef
access-list 100 permit udp any any eq bootpc
interface Serial0/0/1

36
ip verify unicast source reachable-via rx allow-default 100
ip tcp intercept list autosec_tcp_intercept_list
ip tcp intercept drop-mode random
ip tcp intercept watch-timeout 15
ip tcp intercept connection-timeout 3600
ip tcp intercept max-incomplete low 450
ip tcp intercept max-incomplete high 550
!
end

Apply this configuration to running-config? [yes]: <ENTER>

Applying the config generated to running-config
The name for the keys will be: R3.ccnasecurity.com

% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]

R3#
000037: *Dec 19 21:18:52.495 UTC: %AUTOSEC-1-MODIFIED: AutoSecure
configuration
has been Modified on this device

Step 2: Establish an SSH connection from PC-C to R3.

a. Start PuTTy or another SSH client, and log in with the admin account and password cisco12345 created
when AutoSecure was run. Enter the IP address of the R3 Fa0/1 interface 192.168.3.1.

b. Because AutoSecure configured SSH on R3, you will receive a PuTTY security warning. Click Yes to
connect anyway.

c. Enter privileged EXEC mode, and verify the R3 configuration using the show run command.

d. Issue the show flash command. Is there a file that might be related to AutoSecure, and if so what is its
name and when was it created? _________________________________________________

e. Issue the command more flash:pre_autosec.cfg. What are the contents of this file, and what is its
purpose? ____________________________________________________________________

f. How would you restore this file if AutoSecure did not produce the desired results?
________________________________________________________________________________


Step 3: Contrast the AutoSecure-generated configuration of R3 with the manual configuration of
R1.

a. What security-related configuration changes were performed on R3 by AutoSecure that were not performed
in previous sections of the lab on R1?

________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
b. What security-related configuration changes were performed in previous sections of the lab that were not
performed by AutoSecure?
_______________________________________________________________________________________
_________________________________________________________________________

37
c. Identify at least five unneeded services that were locked down by AutoSecure and at least three security
measures applied to each interface.
Note: Some of the services listed as being disabled in the AutoSecure output above might not appear
in the show running-config output because they are already disabled by default for this router
and Cisco IOS version.
Services disabled include
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
For each interface, the following were disabled:
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________

Step 4: Test connectivity.

Ping from PC-A on the R1 LAN to PC-C on the router R3 LAN. Were the pings successful? _____

If pings from PC-A to PC-C are not successful, troubleshoot before continuing.


Task 3. Restore R1 to Its Basic Configuration
To avoid confusion as to what was previously configured and what SDM Security Audit tool provides for the
router configuration, start by restoring router R1 to its basic configuration.


Step 1: Erase and reload the router.

a. Connect to the R1 console and log in as admin.

b. Enter privileged EXEC mode.

c. Erase the startup config and then reload the router.


Step 2: Restore the basic config.

a. When the router restarts, cut and paste the basic startup config for R1 that was created and saved in Part 1
of this lab.

b. Test connectivity by pinging from host PC-A to R1. If the pings are not successful, troubleshoot the router
and PC configurations to verify connectivity before continuing.

c. Save the running config to the startup config using the copy run start command.


Task 4. Use the SDM Security Audit Tool on R1 to Identify Security Risks
In this task, you use the SDM graphical user interface to analyze security vulnerabilities on router R1. SDM is
faster than typing each command and gives you more control than the AutoSecure feature.


Step 1: Verify whether SDM is installed on router R1.
R1#show flash
-#- -length-- --date/time------ path
1 37081324 Dec 16 2008 21:57:10 c1841-advipservicesk9-mz.124-20.T1.bin

38
2 6389760 Dec 16 2008 22:06:56 sdm.tar
<Output omitted>
Note: SDM can be run from the PC or the router. If SDM is not installed on your router, check to see if it is
installed on the PC. Otherwise, consult your instructor for directions.


Step 2: Create an SDM user and enable the HTTP secure server on R1.

a. Create a privilege-level 15 username and password on R1.
R1(config)#username admin privilege 15 secret 0 cisco12345
b. Enable the HTTP secure server on R1.
R1(config)#ip http secure-server
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
R1(config)#
*Dec 19 17:01:07.763: %SSH-5-ENABLED: SSH 1.99 has been enabled
*Dec 19 17:01:08.731: %PKI-4-NOAUTOSAVE: Configuration was modified.
Issue
"write memory" to save new certificate
c. Enable local HTTP authentication on R1.
R1(config)#ip http authentication local
R1(config)#end
d. Save the running config to the startup config.
R1#copy run start

Step 3: Start SDM.

a. From PC-A, run the SDM application and enter the IP address of R1 FA0/1 (192.168.1.1) or open a
web browser and navigate to https://192.168.1.1.

b. Note: Make sure that you have all pop-up blockers turned off in your browser. Also make sure that
Java is installed and updated.

c. When the certification error message is displayed, click Continue to this web site.

d. Log in with the previously configured username and password.
username: admin
password: cisco12345
e. At the Warning Security messages, click Yes.

f. At the Password Needed “ Networking message, enter the username and password again.


Step 4. Back up the current router configuration.

a. Back up the router configuration from within SDM by choosing File > Save Running Config to PC.

b. Save the configuration on the desktop using the default name of SDMConfig.txt.


Step 5. Begin the security audit.

a. Select Configure > Security Audit.


39
b. Click the Perform Security Audit button to start the Security Audit wizard, which analyzes potential
vulnerabilities. This helps you become familiar with the types of vulnerabilities that Security Audit can
identify. You will be given an opportunity to fix all or selected security problems after the audit finishes..

Note: The Security Audit tool also provides a One-Step Lockdown option that performs a function
similar to AutoSecure but does not prompt the user for input.

c. After you have familiarized yourself with the wizard instructions, click Next.




40
d. On the Security Audit Interface Configuration window, indicate which of the interfaces that are shown
are inside (trusted) and which are outside (untrusted). For interface Fa0/1, select Inside (trusted). For
interface S0/0/0, select Outside (untrusted).

e. Click Next to check security configurations. You can watch the security audit progress.


Step 6: Identify Security Audit unneeded services and recommended configurations.

a. Scroll through the Security Audit results screen. What are some of the major vulnerabilities listed as
Not Passed?
____________________________________________________________________________________
____________________________________________________________________________________
________________________________________________________________________

b. After reviewing the Security Audit report, click Save Report. Save it to the desktop using the default
name SDMSecurityAuditReportCard.html.




41
c. Open the report card HTML document you saved on the desktop to view the contents and then close it.


Task 5. Fix Security Problems on R1 Using the Security Audit Tool
In this task, you will use the Security Audit wizard to make the necessary changes to the router configuration.


Step 1: Review the Security Problems Identified window for potential items to fix.

a. In the Security Audit window, click Close.

b. A window appears listing the items that did not pass the security audit. Click Next without choosing any
items. What message did you get? ________________________________________________

c. Click OK to remove the message.


Step 2: Fix security problems.

With the Security Audit tool, you can fix selected problems or all security problems identified.

a. Click Fix All and then click Next to fix all security problems.

b. When prompted, enter an enable secret password of cisco12345 and confirm it.



42
c. Enter the text for the login banner: Unauthorized Access Prohibited. Click Next.

d. Add the logging host IP address 192.168.1.3, and accept the logging defaults. Click Next.

e. Accept the default security settings for inside and outside interfaces and click Next.

f. Deselect URL Filter Server, and click Next.

g. For the security level, select Low Security and click Next.

h. At the Firewall Configuration Summary, review the configuration and click Finish.

i. Scroll through the Summary screen. This screen shows what Security Audit will configure for the router.

j. Click Finish to see the actual commands that are delivered to the router. Scroll to review the
commands.

k. Make sure that Save running config to router™s startup config is selected, and click Deliver.

l. Click OK in the Commands Delivery Status window to exit the Security Audit tool. How many
commands were delivered to the router? ________________


Task 6. Review Router Security Configurations with SDM and the CLI
In this task, you will use Cisco SDM to review changes made by Security Audit on router R1 and compare
them to those made by AutoSecure on R3.


Step 1: View the running configs for R1 and R3.

a. From the PC-A SDM session with R1, click the View option from the main menu and select Running
Config.

b. Using PuTTY, open an SSH connection to router R3, and log in as admin.

c. Enter privileged EXEC mode, and issue the show run command.


Step 2: Contrast AutoSecure with SDM Security Audit.

a. Compare the function and ease of use between AutoSecure and SDM Security Audit. What are some
similarities and differences?

________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________

b. Refer to the AutoSecure configuration on R3 and the SDM Security Audit configuration on R1. What
are some similarities and differences between the configurations generated by AutoSecure and Security
Audit?

________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________



43
________________________________________________________________________________
________________________________________________________________________________


Step 3: Test connectivity.

a. Ping from router R1 to the router R3 S0/0/1 interface (10.2.2.1). Were the pings successful? Why or
why not? _________________________________________________________________________

Note: Firewalls are covered in detail in Chapter 4.

b. Ping from PC-A on the R1 LAN to PC-C on the router R3 LAN. Were the pings successful? Why or why
not? _________________________________________________________________________

c. Ping from router R3 to the router R2 S0/0/0 interface (10.1.1.2). Were the pings successful? Why or
why not? _________________________________________________________________________

d. Ping from router R3 to the router R1 S0/0/0 interface (10.1.1.1). Were the pings successful? Why or
why not? _________________________________________________________________________

e. Ping from PC-C on the R3 LAN to PC-A on the router R1 LAN. Were the pings successful? Why or why
not? _________________________________________________________________________


Task 7. Reflection
a. How important is securing router access and monitoring network devices to ensure responsibility and
accountability and for thwarting potentially malicious activity.
____________________________________________________________________________________
____________________________________________________________________________________
________________________________________________________________________

b. What advantages does SSH have over Telnet?
____________________________________________________________________________________
____________________________________________________________________________

c. What advantages does Telnet have over SSH?
____________________________________________________________________________________
____________________________________________________________________________

d. How scalable is setting up usernames and using the local database for authentication?
____________________________________________________________________________________
____________________________________________________________________________________
________________________________________________________________________

e. Why it is better to have centralized logging servers rather than only have the routers log locally?
____________________________________________________________________________________
____________________________________________________________________________________
________________________________________________________________________

f. What are some advantages to using automated security mechanisms like AutoSecure and SDM
Security Audit?
____________________________________________________________________________________
____________________________________________________________________________________
________________________________________________________________________




44
Router Interface Summary Table
Router Interface Summary
Router Model Ethernet Interface Ethernet Interface Serial Interface Serial Interface
#1 #2 #1 #2
1700 Fast Ethernet 0 Fast Ethernet 1 Serial 0 (S0) Serial 1 (S1)
(FA0) (FA1)
1800 Fast Ethernet 0/0 Fast Ethernet 0/1 Serial 0/0/0 Serial 0/0/1
(FA0/0) (FA0/1) (S0/0/0) (S0/0/1)
2600 Fast Ethernet 0/0 Fast Ethernet 0/1 Serial 0/0 (S0/0) Serial 0/1 (S0/1)
(FA0/0) (FA0/1)
2800 Fast Ethernet 0/0 Fast Ethernet 0/1 Serial 0/0/0 Serial 0/0/1
(FA0/0) (FA0/1) (S0/0/0) (S0/0/1)
Note: To find out how the router is configured, look at the interfaces to identify the type of router
and how many interfaces the router has. There is no way to effectively list all the combinations of
configurations for each router class. This table includes identifiers for the possible combinations of
Ethernet and Serial interfaces in the device. The table does not include any other type of interface,
even though a specific router may contain one. An example of this might be an ISDN BRI interface.
The string in parenthesis is the legal abbreviation that can be used in Cisco IOS commands to
represent the interface.




45
Chapter 3: Lab A" Securing Administrative Access Using AAA and
RADIUS

Topology




IP Addressing Table


Device Interface IP Address Subnet Mask Default Gateway Switch Port
R1 FA0/1 192.168.1.1 255.255.255.0 N/A S1 FA0/5
S0/0/0 (DCE) 10.1.1.1 255.255.255.252 N/A N/A
R2 S0/0/0 10.1.1.2 255.255.255.252 N/A N/A
S0/0/1 (DCE) 10.2.2.2 255.255.255.252 N/A N/A
R3 FA0/1 192.168.3.1 255.255.255.0 N/A S3 FA0/5
S0/0/1 10.2.2.1 255.255.255.252 N/A N/A
PC-A NIC 192.168.1.3 255.255.255.0 192.168.1.1 S1 FA0/6
PC-C NIC 192.168.3.3 255.255.255.0 192.168.3.1 S3 FA0/18




46
Objectives
Part 1: Basic Network Device Configuration

Configure basic settings such as host name, interface IP addresses, and access passwords.

Configure static routing.


Part 2: Configure Local Authentication

Configure a local database user and local access for the console, vty, and aux lines.

Test the configuration.


Part 3: Configure Local Authentication Using AAA

Configure the local user database using Cisco IOS.

Configure AAA local authentication using Cisco IOS.

Configure AAA local authentication using SDM.

Test the configuration.


Part 4: Configure Centralized Authentication Using AAA and RADIUS

Install a RADIUS server on a computer.

Configure users on the RADIUS server.

Configure AAA services on a router to access the RADIUS server for authentication using Cisco IOS.

Configure AAA services on a router to access the RADIUS server for authentication using SDM.

Test the AAA RADIUS configuration.


Background
The most basic form of router access security is to create passwords for the console, vty, and aux lines. A
user is prompted for only a password when accessing the router. Configuring a privileged EXEC mode enable
secret password further improves security, but still only a basic password is required for each mode of
access.

In addition to basic passwords, specific usernames or accounts with varying privilege levels can be defined in
the local router database that can apply to the router as a whole. When the console, vty, or aux lines are
configured to refer to this local database, the user is prompted for a username and a password when using
any of these lines to access the router.

Additional control over the login process can be achieved using Authentication, Authorization, and Accounting
(AAA). For basic authentication, AAA can be configured to access the local database for user logins, and
fallback procedures can also be defined. However, this approach is not very scalable because it must be
configured on every router. To take full advantage of AAA and achieve maximum scalability, it is used in
conjunction with an external TACACS+ or RADIUS server database. When a user attempts to login, the
router references the external server database to verify that the user is logging in with a valid username and
password.

In this lab, you build a multi-router network and configure the routers and hosts. You use various CLI
commands and SDM tools to configure routers with basic local authentication and local authentication using
AAA. You install RADIUS software on an external computer and use AAA to authenticate users with the
RADIUS server.




47
Note: The router commands and output in this lab are from a Cisco 1841 with Cisco IOS Release 12.4(20)T
(Advance IP image). Other routers and Cisco IOS versions can be used. See the Router Interface Summary
table at the end of the lab to determine which interface identifiers to use based on the equipment in the lab.
Depending on the router model and Cisco IOS version, the commands available and output produced might
vary from what is shown in this lab.

Note: Make sure that the routers and switches have been erased and have no startup configurations.


Required Resources
3 routers with SDM 2.5 installed (Cisco 1841 with Cisco IOS Release 12.4(20)T1 or comparable)

2 switches (Cisco 2960 or comparable)

PC-A: Windows XP, Vista, or Windows Server with RADIUS server software available

PC-C: Windows XP or Vista

Serial and Ethernet cables as shown in the topology

Rollover cables to configure the routers via the console



Part 1. Basic Network Device Configuration
In Part 1 of this lab, you set up the network topology and configure basic settings, such as the interface IP
addresses, static routing, device access, and passwords.

All steps should be performed on routers R1 and R3. Only steps 1, 2, 3 and 6 need to be performed on R2.
The procedure for R1 is shown here as an example.


Step 1: Cable the network as shown in the topology.

Attach the devices shown in the topology diagram, and cable as necessary.


Step 2: Configure basic settings for each router.

a. Configure host names as shown in the topology.

b. Configure the interface IP addresses as shown in the IP addressing table.

c. Configure a clock rate for the routers with a DCE serial cable attached to their serial interface.
R1(config)#interface S0/0/0
R1(config-if)#clock rate 64000
d. To prevent the router from attempting to translate incorrectly entered commands as though they were
host names, disable DNS lookup.
R1(config)#no ip domain-lookup

Step 3: Configure static routing on the routers.

Configure a static default route from R1 to R2 and from R3 to R2.

Configure a static route from R2 to the R1 LAN and from R2 to the R3 LAN.




48
Step 4: Configure PC host IP settings.

Configure a static IP address, subnet mask, and default gateway for PC-A and PC-C, as shown in the IP
addressing table.


Step 5: Verify connectivity between PC-A and R3.

a. Ping from R1 to R3.

Were the ping results successful? _____

If the pings are not successful, troubleshoot the basic device configurations before continuing.

b. Ping from PC-A on the R1 LAN to PC-C on the R3 LAN.

Were the ping results successful? _____

If the pings are not successful, troubleshoot the basic device configurations before continuing.

Note: If you can ping from PC-A to PC-C, you have demonstrated that static routing is configured and
functioning correctly. If you cannot ping but the device interfaces are up and IP addresses are correct,
use the show run and show ip route commands to help identify routing protocol-related problems.


Step 6: Save the basic running configuration for each router.

Use the Transfer > Capture text option in HyperTerminal or some other method to capture the running
configs for each router. Save the three files so that they can be used to restore configs later in the lab.


Step 7: Configure and encrypt passwords on R1 and R3.
Note: Passwords in this task are set to a minimum of 10 characters but are relatively simple for the
benefit of performing the lab. More complex passwords are recommended in a production network.
For this step, configure the same settings for R1 and R3. Router R1 is shown here as an example.

a. Configure a minimum password length.

Use the security passwords command to set a minimum password length of 10 characters.
R1(config)#security passwords min-length 10
b. Configure the enable secret password on both routers.
R1(config)#enable secret cisco12345
c. Configure the basic console, auxiliary port, and vty lines.

d. Configure a console password and enable login for router R1. For additional security, the exec-
timeout command causes the line to log out after 5 minutes of inactivity. The logging synchronous
command prevents console messages from interrupting command entry.

Note: To avoid repetitive logins during this lab, the exec timeout can be set to 0 0, which prevents it
from expiring. However, this is not considered a good security practice.
R1(config)#line console 0
R1(config-line)#password ciscoconpass
R1(config-line)#exec-timeout 5 0


49
R1(config-line)#login
R1(config-line)#logging synchronous
e. Configure a password for the aux port for router R1.
R1(config)#line aux 0
R1(config-line)#password ciscoauxpass
R1(config-line)#exec-timeout 5 0
R1(config-line)#login
f. Configure the password on the vty lines for router R1.
R1(config)#line vty 0 4
R1(config-line)#password ciscovtypass
R1(config-line)#exec-timeout 5 0
R1(config-line)#login
g. Encrypt the console, aux, and vty passwords.

R1(config)#service password-encryption

h. Issue the show run command. Can you read the console, aux, and vty passwords? Why or why
not? ________________________________________________________________________


Step 8: Configure a login warning banner on routers R1 and R3.

a. Configure a warning to unauthorized uses using a message-of-the-day (MOTD) banner with the
banner motd command. When a user connects to the router, the MOTD banner appears before the
login prompt. In this example, the dollar sign ($) is used to start and end the message.
R1(config)#banner motd $Unauthorized access strictly prohibited and
prosecuted to the full extent of the law$
R1(config)#exit
b. Issue the show run command. What does the $ convert to in the output? _____________________

c. Exit privileged EXEC mode using the disable or exit command and press Enter to get started.
Does the MOTD banner look like what you expected? _____

Note: If it does not, just recreate it using the banner motd command.


Step 9: Save the basic configurations.

Save the running configuration to the startup configuration from the privileged EXEC prompt.
R1#copy running-config startup-config

Part 2. Configure Local Authentication
In Part 2 of this lab, you configure a local username and password and change the access for the console, aux,
and vty lines to reference the router™s local database for valid usernames and passwords. Perform all steps on R1
and R3. The procedure for R1 is shown here.

Step 1: Configure the local user database.

a. Create a local user account with MD5 hashing to encrypt the password.
R1(config)#username user01 secret user01pass




50
b. Exit global configuration mode and display the running configuration. Can you read the user™s
password? ________________________


Step 2: Configure local authentication for the console line and login.

a. Set the console line to use the locally defined login usernames and passwords.
R1(config)#line console 0
R1(config-line)#login local
b. Exit to the initial router screen that displays: R1 con0 is now available, Press RETURN to get started.

c. Log in using the user01 account and password previously defined.

d. What is the difference between logging in at the console now and previously?

________________________________________________________________________________

e. After logging in, issue the show run command. Were you able to issue the command? Why or why not?
__________________________________

f. Enter privileged EXEC mode using the enable command. Were you prompted for a password? Why or
why not? ______________________________________________________________________


Step 3: Test the new account by logging in from a Telnet session.

a. From PC-A, establish a Telnet session with R1.
PC-A>telnet 192.168.1.1
b. Were you prompted for a user account? Why or why not? __________________________________

c. What password did you use to login? _________________________

d. Set the vty lines to use the locally defined login accounts.
R1(config)#line vty 0 4
R1(config-line)#login local
e. From PC-A, telnet R1 to R1 again.
PC-A>telnet 192.168.1.1
f. Were you prompted for a user account? Why or why not? _________________________________

g. Log in as user01 with a password of user01pass.

h. While connected to R1 via Telnet, access privileged EXEC mode with the enable command.

i. What password did you use? ____________________________

j. For added security, set the aux port to use the locally defined login accounts.
R1(config)#line aux 0
R1(config-line)#login local
k. End the Telnet session with the exit command.




51
Step 4: Save the configuration on R1.

a. Save the running configuration to the startup configuration from the privileged EXEC prompt.
R1#copy running-config startup-config
b. Use HyperTerminal or another means to save the R1 running configuration from Parts 1 and 2 of this
lab and edit it so that it can be used to restore the R1 config later in the lab.

Note: Remove all occurrences of “- - More - -.” Remove any commands that are not related to the items
you configured in Parts 1 and 2 of the lab, such as the Cisco IOS version number, no service pad, and so
on. Many commands are entered automatically by the Cisco IOS software. Also replace the encrypted
passwords with the correct ones specified previously.


Step 5: Perform steps 1 through 4 on R3 and save the configuration.

a. Save the running configuration to the startup configuration from the privileged EXEC prompt.
R3#copy running-config startup-config
b. Use HyperTerminal or another means to save the R3 running configuration from Parts 1 and 2 of this
lab and edit it so that it can be used to restore the R3 config later in the lab.


Part 3. Configure Local Authentication Using AAA on R3

Task 1. Configure the Local User Database Using Cisco IOS
Note: If you want to configure AAA using SDM, go to Task 3.


Step 1: Configure the local user database.

a. Create a local user account with MD5 hashing to encrypt the password.
R3(config)#username Admin01 privilege 15 secret Admin01pass
b. Exit global configuration mode and display the running configuration. Can you read the user™s password?
_________________________________________________________________


Task 2. Configure AAA Local Authentication Using Cisco IOS

Step 1: Enable AAA services.

a. On R3, enable services with the global configuration command aaa new-model. Because you are
implementing local authentication, use local authentication as the first method, and no authentication as
the secondary method.

If you were using an authentication method with a remote server, such as TACACS+ or RADIUS, you
would configure a secondary authentication method for fallback if the server is unreachable.
Normally, the secondary method is the local database. In this case, if no usernames are configured in
the local database, the router allows all users login access to the device.

b. Enable AAA services.
R3(config)#aaa new-model




52
Step 2: Implement AAA services for console access using the local database.

a. Create the default login authentication list by issuing the aaa authentication login default
method1[method2][method3] command with a method list using the local and none keywords.
R3(config)#aaa authentication login default local none
Note: If you do not set up a default login authentication list, you could get locked out of the router and
be forced to use the password recovery procedure for your specific router.

b. Exit to the initial router screen that displays: R3 con0 is now available, Press RETURN to get
started.

c. Log in to the console as Admin01 with a password of Admin01pass. Remember that passwords are
case-sensitive. Were you able to log in? Why or why not?
_______________________________________________________________________________

Note: If your session with the console port of the router times out, you might have to log in using the
default authentication list.

d. Exit to the initial router screen that displays: R3 con0 is now available, Press RETURN to get
started.

e. Attempt to log in to the console as baduser with any password. Were you able to log in? Why or why
not? ____________________________________________________________________________

f. If no user accounts are configured in the local database, which users are permitted to access the
device? __________________________________________________________________________


Step 3: Create a AAA authentication profile for Telnet using the local database.

a. Create a unique authentication list for Telnet access to the router. This does not have the fallback of no
authentication, so if there are no usernames in the local database, Telnet access is disabled. To create an
authentication profile that is not the default, specify a list name of TELNET_LINES and apply it to the vty lines.
R3(config)#aaa authentication login TELNET_LINES local
R3(config)#line vty 0 4
R3(config-line)#login authentication TELNET_LINES
b. Verify that this authentication profile is used by opening a Telnet session from PC-C to R3.
PC-C>telnet 192.168.3.1
Trying 192.168.10.1 ... Open
c. Log in as Admin01 with a password of Admin01pass. Were you able to login? Why or why not?
_______________________________________________________________________________

d. Exit the Telnet session with the exit command, and telnet to R3 again.

e. Attempt to log in as baduser with any password. Were you able to login? Why or why not?
_______________________________________________________________________________


Task 3. (Optional) Configure AAA Local Authentication Using Cisco SDM
You can also use SDM to configure the router to support AAA.

<<

. 2
( 9)



>>