Redes

ntroduction

In this comprehensive practice activity, you will apply a combination of security measures that were introduced in the course. These measures are listed in the objectives.

In the topology, R1 is the edge outer for the Company A while R3 is the edge router for Company B. These networks are interconnected via the R2 router which represents the ISP. You will configure various security features on the routers and switches for Company A and Company B. Not all security features will be configured on R1 and R3.

Learning Objectives

 Secure the routers with strong passwords, password encryption and a login banner.

 Secure the console and VTY lines with passwords.

 Configure local AAA authentication.

 Configure SSH server.

 Configure router for syslog.

 Configure router for NTP.

 Secure the router against login attacks.

 Configure CBAC and ZPF firewalls.

 Secure network switches.

Task 1: Test Connectivity and Verify Configurations

Step 1. Verify IP addresses.

Step 2. Verify routing tables.

Step 3. Test connectivity.

From PC-A, ping PC-C at IP address 192.168.3.5.

Task 2: Secure the Routers

Step 1. Set minimum a password length of 10 characters on router R1 and R3.

R1(config)#security passwords min-length 10

Step 2. Configure an enable secret password on router R1 and R3.

Use an enable secret password of ciscoenpa55.

R1(config)#enable secret ciscoenpa55

Step 3. Encrypt plaintext passwords.

R1(config)#service password-encryption

Step 4. Configure the console lines on R1 and R3.

Configure a console password of ciscoconpa55 and enable login. Set the exec-timeout to log out after 5 minutes of inactivity. Prevent console messages from interrupting command entry.

R1(config-line)#password ciscoconpa55

R1(config-line)#login

R1(config-line)#exec-timeout 5

R1(config-line)#logging synchronous

Step 5. Configure vty lines on R1.

Configure a vty line password of ciscovtypa55 and enable login. Set the exec-timeout to log out after 5 minutes of inactivity. Set the login authentication to use the default AAA list to be defined later.

Note: The vty lines on R3 will be configured for SSH in a later task.

R1(config)#line vty 0 4

R1(config-line)#exec-timeout 5

R1(config-line)#password ciscovtypa 55

R1(config-line)#login

R1(config-line)#login authentication default

Step 6. Configure login banner on R1 and R3.

Configure a warning to unauthorized users with a message-of-the-day (MOTD) banner that says: “No Unauthorized Access!”

R1(config)#banner motd "No Unauthorized Access!"

Task 3: Configure Local Authentication on R1 and R3

Step 1. Configure the local user database.

Create a local user account of Admin01 with a secret password ofAdmin01pa55.

Step 2. Enable AAA services.

Step 3. Implement AAA services using the local database.

Create the default login authentication method list using local authentication with no backup method.

R1(config)#username Admin01 secret Admin01pa55

R1(config)#aaa new-model

R1(config)#aaa authentication login default local none

Task 4: Configure NTP

Step 1. Enable NTP authentication on PC-A.

On PC-A, choose the Config tab, and then the NTP button. SelectOn for NTP service. Enable authentication and enter a Key of 1and a password of ciscontppa55.

Step 2. Configure R1 as an NTP Client.

Configure NTP authentication Key 1 with a password ofciscontppa55. Configure R1 to synchronize with the NTP server and authenticate using Key 1.

Step 3. Configure routers to update hardware clock.

Configure routers to periodically update the hardware clock with the time learned from NTP.

R1(config)#ntp trusted-key 1

R1(config)#ntp server 192.168.1.5 key 1

R1(config)#ntp authentication-key 1 md5 ciscontppa55

R1(config)#ntp update-calendar

R1(config)#ntp authenticate

Task 5: Configure R1 as Syslog Client

Step 1. Configure R1 to timestamp log messages.

Configure timestamp service for logging on the routers.

Step 2. Configure R1 to log messages to the syslog server.

Configure the routers to identify the remote host (syslog server) that will receive logging messages.

You should see a console message similar to the following:

SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 192.168.1.6 port 514 started – CLI initiated

...