Security 8 Sba
Transcript of Security 8 Sba
In this practice Packet Tracer Skills Based Assessment, you will:
configure basic device hardening and secure
network management
configure a CBAC firewall to implement security policies
configure devices to protect against STP attacks and to enable
broadcast storm control
configure port security and disable unused switch ports
configure an IOS IPS
configure a ZPF to implement security policies
configure a site-to-site IPsec VPN
Addressing Table
Device
Interfa
ce IP Address
Subnet
Mask Gateway
DNS
server
Internet
S0/0/0
209.165.200.
225
255.255.255.
252 n/a n/a
S0/0/1 192.31.7.1
255.255.255.
252 n/a n/a
S0/1/0
198.133.219.
1
255.255.255.
252 n/a n/a
Fa0/0
192.135.250.
1
255.255.255.
0 n/a n/a
CORP S0/0/0 209.165.200.
226
255.255.255.
252
n/a n/a
Device
Interfa
ce IP Address
Subnet
Mask Gateway
DNS
server
Fa0/0 10.1.1.254
255.255.255.
0 n/a n/a
Fa0/1.1
0
172.16.10.25
4
255.255.255.
0 n/a n/a
Fa0/1.2
5
172.16.25.25
4
255.255.255.
0 n/a n/a
Fa0/1.9
9
172.16.99.25
4
255.255.255.
0 n/a n/a
Branch
S0/0/0
198.133.219.
2
255.255.255.
252 n/a n/a
Fa0/0
198.133.219.
62
255.255.255.
224 n/a n/a
External
S0/0/0 192.31.7.2
255.255.255.
252 n/a n/a
Fa0/0 192.31.7.62
255.255.255.
224 n/a n/a
Public Svr NIC
192.135.250.
5
255.255.255.
0
192.135.25
0.1 n/a
External
Web Svr NIC 192.31.7.35
255.255.255.
224 192.31.7.62
192.135.25
0.5
External PC NIC 192.31.7.33
255.255.255.
224 192.31.7.62
192.135.25
0.5
NTP/Syslog
Svr NIC 172.16.25.2
255.255.255.
0
172.16.25.2
54 10.1.1.5
Device
Interfa
ce IP Address
Subnet
Mask Gateway
DNS
server
DMZ DNS
Svr NIC 10.1.1.5
255.255.255.
0 10.1.1.254
192.135.25
0.5
DMZ Web
Svr NIC 10.1.1.2
255.255.255.
0 10.1.1.254 10.1.1.5
PC0 NIC 172.16.10.5
255.255.255.
0
172.16.10.2
54 10.1.1.5
PC1 NIC 172.16.10.10
255.255.255.
0
172.16.10.2
54 10.1.1.5
Net Admin NIC 172.16.25.5
255.255.255.
0
172.16.25.2
54 10.1.1.5
Admin PC NIC
198.133.219.
35
255.255.255.
224
198.133.21
9.62
192.135.25
0.5
PCB1 NIC
198.133.219.
40
255.255.255.
224
198.133.21
9.62
192.135.25
0.5
Note: Appropriate verification procedures should be taken after
each configuration task to ensure that it has been properly
implemented.
Step 1: Configure Basic Device Hardening for the CORP
Router.
a. Configure the CORP router to only accept passwords with a
minimum length of 10 characters.
CORP(config)# security password min-length 10
b. Configure an encrypted privileged level password of ciscoclass.
CORP(config)# enable secret ciscoclass
c. Enable password encryption for all clear text passwords in the
configuration file.
CORP(config)# service password-encryption
d. Configure the console port and all vty lines with the following
requirements:
Note: CORP is already configured with the username CORPADMIN
and the secret password ciscoccnas.
use the local database for login
disconnect after being idle for 20 minutes.
CORP(config)# line consol 0
CORP(config-line)# login local
CORP(config-line)# exec-timeout 20 0
CORP(config-line)# line vty 0 4
CORP(config-line)# login local
CORP(config-line)# exec-timeout 20 0
CORP(config-line)# line vty 5 15
CORP(config-line)# login local
CORP(config-line)# exec-timeout 20 0
e. Disable the CDP protocol only on the link to the Internet router.
CORP(config)# interface s0/0/0
CORP(config-if)# no cdp enable
Step 2: Configure Secure Network Management for the CORP
Router.
a. Enable the CORP router:
as an NTP client to the NTP/Syslog server
to update the router calendar (hardware clock) from the NTP
time source
to timestamp log messages
to send logging messages to the NTP/Syslog server
CORP(config)# ntp server 172.16.25.2 key 0
CORP(config)# ntp update-calendar
CORP(config)# service timestamps log datetime msec
CORP(config)# logging host 172.16.25.2
b. Configure the CORP router to accept SSH connections. Use the
following guidelines:
Note: CORP is already configured with the username SSHAccess
and the secret password ciscosshaccess.
domain name is theccnas.com
RSA encryption key pair using a modulus of 1024
SSH version 2, timeout of 90 seconds, and 2 authentication
retries
all vty lines accept only SSH connections
CORP(config)# ip domain-name theccnas.com
CORP(config)# crypto key generate rsa
How many bits in the modulus [512]: 1024
CORP(config)# ip ssh version 2
CORP(config)# ip ssh time-out 90
CORP(config)# ip ssh authentication-retries 2
CORP(config)# line vty 0 4
CORP(config-line)# transport input ssh
CORP(config)# line vty 5 15
CORP(config-line)# transport input ssh
CORP(config-line)# exit
c. Configure the CORP router with AAA authentication and verify its
functionality:
AAA authentication using the local database as the default for
console line and vty lines access
CORP(config)# aaa new model
CORP(config)# aaa authentication login default local
CORP(config)# aaa authorization exec default local
CORP(config)# line vty 0 4
CORP(config-line)# login authentication default
CORP(config-line)# line vty 5 15
CORP(config-line)# login authentication default
CORP(config-line)# line con 0
CORP(config-line)# login authentication default
Step 3: Configure Device Hardening for Switch1.
a. Access Switch1 with username CORPADMIN, password ciscoccnas,
and the enable secret password of ciscoclass.
b. Enable storm control for broadcasts on FastEthernet 0/24 with a
50 percent rising suppression level.
SW1(config)# interface fa0/24
SW1(config)# storm-control broadcast level 50
c. Configure Switch1 to protect against STP attacks.
Configure PortFast on FastEthernet ports 0/1 to 0/23.
Enable BPDU guard on FastEthernet ports 0/1 to 0/23.
SW1(config)# interface range fa0/1-23
SW1(config-if-range)# spanning-tree portfast
SW1(config-if-range)# spanning-tree bpduguard enable
d. Configure port security and disable unused ports.
Set the maximum number of learned MAC addresses to 2 on
FastEthernet ports 0/1 to 0/23. Allow the MAC address to be
learned dynamically and to shutdown the port if a violation
occurs.
SW1(config)# interface range fa0/1-23
SW1(config-if-range)# switchport port-security
SW1(config-if-range)# switchport port-security maximum 2
SW1(config-if-range)# switchport port-security violation shutdown
SW1(config-if-range)# switchport port-security mac-address sticky
Disable unused ports (Fa0/2-5, Fa0/7-10, Fa0/13-23).
SW1(config)# interface range fa0/2-5
SW1(config-if-range)# shutdown
SW1(config)# interface range fa0/7-10
SW1(config-if-range)# shutdown
SW1(config)# interface range fa0/13-23
SW1(config-if-range)# shutdown
SW1(config-if-range)# end
SW1# copy running-config startup-config
Step 4: Configure an IOS IPS on the CORP Router.
a. On the CORP router, create a directory in flash named ipsdir.
CORP# mkdir ipsdir
b. Configure the IPS signature storage location to be flash:ipsdir.
CORP(config)# ip ips config location flash:ipsdir/ retries 1
c. Create an IPS rule named corpips.
CORP(config)# ip ips name corpips
d. Configure the IOS IPS to use the signature categories. Retire the
all signature category and unretire the ios_ips basic category.
CORP(config)# ip ips signature-category
CORP(config-ips-category)# category all
CORP(config-ips-category-action)# retired true
CORP(config-ips-category-action)# exit
CORP(config-ips-category)# category ios_ips basic
CORP(config-ips-category-action)# retired false
CORP(config-ips-category-action)# exit
CORP(config-ips-category)# exit
Do you want to accept these changes? [confirm] [Enter]
e. Apply the IPS rule to the Fa0/0 interface.
CORP(config)# interface fa0/0
CORP(config-if)# ip ips corpips out
f. Modify the ios_ips basic category. Unretire the echo request
signature (signature 2004, subsig 0); enable the signature; modify
the signature event-action to produce an alert and to deny packets
that match the signature.
CORP(config)#ip ips signature-definition
CORP(config-sigdef)# signature 2004 0
CORP(config-sigdef-sig)# status
CORP(config-sigdef-sig-status)# retired false
CORP(config-sigdef-sig-status)# enable true
CORP(config-sigdef-sig-status)# exit
CORP(config-sigdef-sig)# engine
CORP(config-sigdef-sig-engine)# event-action produce-alert
CORP(config-sigdef-sig-engine)# event-action deny-packet-inline
CORP(config-sigdef-sig-engine)# exit
CORP(config-sigdef-sig)# exit
CORP(config-sigdef)# exit
CORP(config)# exit
Do you want to accept these changes? [confirm] [Enter]
g. Verify that IPS is working properly. Net Admin in the internal
network cannot ping DMZ Web Svr. DMZ Web Svr, however, can ping
Net Admin.
Step 5: Configure ACLs and CBAC on the CORP Router to
Implement the Security Policy.
a. Create ACL 12 to implement the security policy regarding the
access to the vty lines:
Only users connecting from Net Admin and Admin PC are
allowed access to the vty lines.
CORP(config)# access-list 12 permit host 172.16.25.5
CORP(config)# access-list 12 permit host 198.133.219.35
CORP(config)# line vty 0 4
CORP(config-line)# access-class 12 in
CORP(config-line)# line vty 5 15
CORP(config-line)# access-class 12 in
b. Create, apply, and verify an extended named ACL (named
DMZFIREWALL) to filter incoming traffic to the DMZ. The ACL should
be created in the order specified in the following guidelines (Please
note, the order of ACL statements is significant only because of the
scoring need in Packet Tracer.):
1. HTTP traffic is allowed to DMZ Web Svr.
2. DNS traffic (both TCP and UDP) is allowed to DMZ DNS Svr.
3. All traffic from 172.16.25.0/24 is allowed to enter the DMZ.
4. FTP traffic from the Branch administrator workstation is allowed to
DMZ Web Svr.
CORP(config)# ip access-list extended DMZFIREWALL
CORP(config-ext-nacl)# permit tcp any host 10.1.1.2 eq www
CORP(config-ext-nacl)# permit tcp any host 10.1.1.5 eq domain
CORP(config-ext-nacl)# permit udp any host 10.1.1.5 eq domain
CORP(config-ext-nacl)# permit ip 172.16.25.0 0.0.0.255 10.1.1.0
0.0.0.255
CORP(config-ext-nacl)# permit tcp host 198.133.219.35 host
10.1.1.2 eq ftp
CORP(config-ext-nacl)# exit
CORP(config)# interface fa0/0
CORP(config-if)# ip access-group DMZFIREWALL out
c. To verify the DMZFIREWALL ACL, complete the following tests:
Admin PC in the branch office can access the URL
http://www.theccnas.com;
Admin PC can open an FTP session to the DMZ Web Svr with the
username cisco and the password cisco;
PCB1 cannot open an FTP session to the DMZ Web Svr.
Net Admin can open an FTP session to the DMZ Web Svr with
the username cisco and the password cisco; and
PC1 cannot open an FTP session to the DMZ Web Svr.
d. Create, apply, and verify an extended named ACL (named
INCORP) to control access from the Internet into the CORP router.
The ACL should be created in the order specified in the following
guidelines (Please note, the order of ACL statements is significant
only because of the scoring need in Packet Tracer.):
1. Allow HTTP traffic to the DMZ Web Svr.
2. Allow DNS traffic (both TCP and UDP) to the DMZ DNS Svr.
3. Allow SSH traffic from the Branch Office administrator workstation
to the Serial 0/0/0 interface on the CORP router.
4. Allow IP traffic from the Branch router serial interface into the
CORP router serial interface.
5. Allow IP traffic from the Branch Office LAN to the public IP address
range that is assigned to the CORP site (209.165.200.240/28).
CORP(config)# ip access-list extended INCORP
CORP(config-ext-nacl)# permit tcp any host 209.165.200.241 eq
www
CORP(config-ext-nacl)# permit tcp any host 209.165.200.242 eq
domain
CORP(config-ext-nacl)# permit udp any host 209.165.200.242 eq
domain
CORP(config-ext-nacl)# permit tcp host 198.133.219.35 host
209.165.200.226 eq 22
CORP(config-ext-nacl)# permit ip host 198.133.219.2 host
209.165.200.226
CORP(config-ext-nacl)# permit ip 198.133.219.32 0.0.0.31
209.165.200.240 0.0.0.15
CORP(config-ext-nacl)# exit
CORP(config)# interface s0/0/0
CORP(config-ifl)# ip access-group INCORP in
e. To verify the INCORP ACL, complete the following tests:
Admin PC in the branch office can access the URL
http://www.theccnas.com;
Admin PC can establish an SSH connection to the CORP router
(209.165.200.226) with the usernameSSHAccess and password
ciscosshaccess;
PCB1 cannot establish an SSH connection to the CORP router
(209.165.200.226); and
External PC cannot establish an SSH connection to the CORP
router (209.165.200.226).
f. Create and apply a CBAC inspection rule (named INTOCORP) to
inspect ICMP, TCP, and UDP traffic between the CORP internal
network and any other network.
CORP(config)# ip inspect name INTOCORP icmp
CORP(config)# ip inspect name INTOCORP tcp
CORP(config)# ip inspect name INTOCORP udp
g. Enable CBAC audit messages to be sent to the syslog server.
CORP(config)# ip inspect audit-trail
CORP(config)# interface s0/0/0
CORP(config-if)# ip inspect INTOCORP out
h. Verify the CBAC firewall configuration.
PC1 can access the External Web Svr (www.externalone.com).
PC1 can establish an SSH connection to the External router with
username SSHadmin and passwordciscosshpa55.
Admin PC in the Branch office can establish an SSH connection
to the CORP router with the usernameSSHAccess and password
ciscosshaccess.
Step 6: Configure a Zone-Based Policy Firewall on the Branch
Router.
a. Access the Branch router with username CORPADMIN, password
ciscoccnas and the enable secret password of ciscoclass.
b. On the Branch router, create the firewall zones.
Create an internal zone named BR-IN-ZONE.
Create an external zone named BR-OUT-ZONE.
Branch(config)# zone security BR-IN-ZONE
Branch(config-sec-zone)# exit
Branch(config)# zone security BR-OUT-ZONE
Branch(config-sec-zone)# exit
c. Define a traffic class and access list.
Create an ACL (ACL 110) to permit all protocols from the
198.133.219.32/27 network to any destination.
Branch(config)# access-list 110 permit ip 198.133.219.32 0.0.0.31
any
Create a class map using the option of class map type inspect
with the match-all keyword. Match the ACL 110 and name the
class map BR-IN-CLASS-MAP.
Branch(config)# class-map type inspect match-all BR-IN-CLASS-MAP
Branch(config-cmap)# match access-group 110
d. Specify firewall policies.
Create a policy map named BR-IN-OUT-PMAP.
Use the BR-IN-CLASS-MAP class map.
Specify the action of inspect for this policy map.
Branch(config)# policy-map type inspect BR-IN-OUT-PMAP
Branch(config-pmap)# class type inspect BR-IN-CLASS-MAP
Branch(config-pmap-c)# inspect
e. Apply the firewall.
Create a pair of zones named IN-OUT-ZPAIR with the source as
BR-IN-ZONE and destination as BR-OUT-ZONE.
Branch(config)# zone-pair security IN-OUT-ZPAIR source BR-IN-ZONE
destination BR-OUT-ZONE
Specify the policy map BR-IN-OUT-PMAP for handling the traffic
between the two zones.
Branch(config-sec-zone-pair)# service-policy type inspect BR-IN-
OUT-PMAP
Assign interfaces to the appropriate security zones.
Branch(config)# interface fa0/0
Branch(config-if)# zone-member security BR-IN-ZONE
Branch(config-if)# interface s0/0/0
Branch(config-if)# zone-member security BR-OUT-ZONE
f. Verify the ZPF configuration.
The Admin PC in the Branch office can access the URLs
http://www.theccnas.com and http://www.externalone.com.
The Admin PC in the Branch office can ping the External PC
(192.31.7.33).
External PC cannot ping the Admin PC in the Branch office
(198.133.219.35).
The Admin PC in Branch office can establish an SSH connection
to the CORP router with the usernameSSHAccess and password
ciscosshaccess. If you get the Corp> prompt, then your
configuration is correct.
Step 7: Configure a Site-to-Site IPsec VPN between the CORP
router and the Branch Router.
The following tables list the parameters for the ISAKMP Phase 1
Policy and IPsec Phase 2 Policy:
ISAKMP Phase 1 Policy
Parameters ISAKMP Phase 2 Policy Parameters
Key
Distribution
Method ISAKMP Parameters CORP Router
Branch
Router
Encryption
Algorithm AES
Transform
Set Name VPN-SET VPN-SET
Number of
Bits 256
Transform
Set
esp-3des
esp-sha-hmac
esp-3des
esp-sha-hmac
Hash
Algorithm SHA-1
Peer Host
Name Branch CORP
Authenticati
on Method Pre-share
Peer IP
Address 198.133.219.2
209.165.200.2
26
Key
Exchange DH 2
Encrypted
Network
209.165.200.24
0/28
198.133.219.3
2/27
IKE SA
Lifetime 86400
Crypto Map
Name VPN-MAP VPN-MAP
ISAKMP Key
Vpnpass1
01
SA
Establishm
ent ipsec-isakmp ipsec-isakmp
a. Configure an ACL (ACL 120) on the CORP router to identify the
interesting traffic. The interesting traffic is all IP traffic between the
two LANs (209.165.200.240/28 and 198.133.219.32/27).
CORP(config)# access-list 120 permit ip 209.165.200.240 0.0.0.15
198.133.219.32 0.0.0.31
b. Configure the ISAKMP Phase 1 properties on the CORP router. The
crypto ISAKMP policy is 10. Refer to the ISAKMP Phase 1 Policy
Parameters Table for the specific details needed.
CORP(config)# crypto isakmp policy 10
CORP(config-isakmp)# encryption aes 256
CORP(config-isakmp)# authentication pre-share
CORP(config-isakmp)#group 2
CORP(config-isakmp)# lifetime 86400 (Default/Optional)
CORP(config-isakmp)# hash sha (Default/optional)
CORP(config-isakmp)# exit
CORP(config)# crypto isakmp key Vpnpass101 address
198.133.219.2
c. Configure the ISAKMP Phase 2 properties on the CORP router.
Refer to the ISAKMP Phase 2 Policy Parameters Table for the specific
details needed.
CORP(config)# crypto ipsec transform-set VPN-SET esp-3des esp-
sha-hmac
CORP(config)# crypto map VPN-MAP 10 ipsec-isakmp
CORP(config-crypto-map)# set peer 198.133.219.2
CORP(config-crypto-map)# set transform-set VPN-SET
CORP(config-crypto-map)# match address 120
d. Bind the VPN-MAP crypto map to the outgoing interface.
CORP(config)# interface s0/0/0
CORP(config-if)# crypto map VPN-MAP
CORP(config-if)# end
e. Configure IPsec parameters on the Branch router using the same
parameters as on the CORP router. Note that interesting traffic is
defined as the IP traffic from the two LANs.
Branch(config)# access-list 120 permit ip 198.133.219.32 0.0.0.31
209.165.200.240 0.0.0.15
Branch(config)# crypto isakmp policy 10
Branch(config-isakmp)# encryption aes 256
Branch(config-isakmp)# authentication pre-share
Branch(config-isakmp)# group 2
Branch(config-isakmp)# lifetime 86400 (Default/Optional)
Branch(config-isakmp)# hash sha (Default/optional)
Branch(config-isakmp)# exit
Branch(config)# crypto isakmp key Vpnpass101 address
209.165.200.226
Branch(config)# crypto ipsec transform-set VPN-SET esp-3des esp-
sha-hmac
Branch(config)# crypto map VPN-MAP 10 ipsec-isakmp
Branch(config-crypto-map)# set peer 209.165.200.226
Branch(config-crypto-map)# set transform-set VPN-SET
Branch(config-crypto-map)# match address 120
Branch(config-crypto-map)# exit
Branch(config)# interface s0/0/0
Branch(config-if)# crypto map VPN-MAP
Branch(config-if)# end
f. Save the running-config, then reload both CORP and Branch
routers.
CORP# copy running-config startup-config
Branch# copy running-config startup-config
g. Verify the VPN configuration by conducting an FTP session with
the username cisco and the password cisco from the Admin PC to
the DMZ Web Svr. On the Branch router, check that the packets are
encrypted. To exit the FTP session, type quit.
That’s all. I’m not sure which version it this Packet Tracer Activity
since it’s not mine. This CCNA Security SBA contributed by
Viktorcsn. Either it’s version 1.0 or version 1.1. However i noticed
that this SBA practice has been published and shared in some
website. I’m not sure if this practice will be helpful to all of you guys,
but i just try to spread it so that maybe someone that in need may
get this resource much easier.
So finally, thank you to Viktorcsn for the contribution. If you guys
have latest version of CCNA Security or anything to share that will