Ccna security Chapter 2 Lab A: Securing the Router for Administrative Access Instructor Version Topology ip addressing Table
Task 5. Fix Security Problems on R1 Using the Security Audit Tool
Download 392.14 Kb.
|
- Navigate this page:
- Task 6. Review Router Security Configurations with SDM and the CLI
- Task 7. Reflection
Task 5. Fix Security Problems on R1 Using the Security Audit ToolIn this task, you will use the Security Audit wizard to make the necessary changes to the router configuration. Step 1: Review the Security Problems Identified window for potential items to fix.
Step 2: Fix security problems. With the Security Audit tool, you can fix selected problems or all security problems identified.
Task 6. Review Router Security Configurations with SDM and the CLIIn this task, you will use Cisco SDM to review changes made by Security Audit on router R1 and compare them to those made by AutoSecure on R3. Step 1: View the running configs for R1 and R3.
Step 2: Contrast AutoSecure with SDM Security Audit.
AutoSecure is an automated Cisco IOS-based CLI security tool that provides a one-step process that enables security features and disables unneeded services. AutoSecure allows a router to quickly be secured without thorough knowledge of all the Cisco IOS features. SDM Security Audit is a GUI-based tool that can perform a security analysis and fix all or selected problems. It also has a one-step lockdown feature. It provides wizards and is somewhat easier to use than AutoSecure. It also provides many helpful explanations as to how and what is being done. Although SDM Security Audit is GUI-based tool, the end result is a set of generated Cisco IOS commands that are delivered to the router.
Differences can vary depending on user responses to the prompts as each tool runs. Student answers may vary but could include: SDM generates a firewall with ACLs. AutoSecure disables more services. SDM generates more HTTP-related commands because it is web based. AutoSecure configures an enable password and an enable secret. SDM only configures the enable secret. AutoSecure does not prompt for a syslog host but SDM does. SDM firewall prompts for an HTTP filter. They both encrypt passwords, set login banners, set minimum password lengths, and control no ip redirects, ip unreachables, and ip proxy-arp for interfaces. Both enable AAA. Step 3: Test connectivity.
Note: Firewalls are covered in detail in Chapter 4.
Task 7. Reflection
It is better to use centralized logging servers because it is much easier to manage and track events. In larger organizations, it is almost impossible to keep track of every individual router’s events without having a centralized way to view information.
Router Interface Summary Table
Device Configs - Part 1 and 2 combined for R1 and R3 Router R1 R1#sh run Building configuration... Current configuration : 1856 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname R1 ! boot-start-marker boot-end-marker ! security passwords min-length 8 logging message-counter syslog enable secret 5 $1$ZKP6$m17lTmPnFb0ffRw5nn6vO1 ! no aaa new-model dot11 syslog ip source-route ! ip cef no ip domain lookup ip domain name ccnasecurity.com login block-for 60 attempts 2 within 30 login on-failure log every 2 ! no ipv6 cef multilink bundle-name authenticated ! username user01 password 7 09595D0C0B540713181F username user02 secret 5 $1$4dEG$m5EkFmKtgYERiQRgWwi5v. username admin privilege 15 secret 5 $1$bK1r$P/ctJGsHwscRaQGa8F/q50 archive log config hidekeys ! ip ssh time-out 90 ip ssh authentication-retries 2 ! interface FastEthernet0/0 no ip address shutdown duplex auto speed auto ! interface FastEthernet0/1 ip address 192.168.1.1 255.255.255.0 duplex auto speed auto ! interface Serial0/0/0 ip address 10.1.1.1 255.255.255.252 no fair-queue clock rate 64000 ! interface Serial0/0/1 no ip address shutdown clock rate 2000000 ! interface Vlan1 no ip address ! ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 10.1.1.2 no ip http server no ip http secure-server ! control-plane ! banner motd ^CUnauthorized access strictly prohibited and prosecuted to the ful l extent of the law^C ! line con 0 exec-timeout 5 0 password 7 104D000A0618110402 logging synchronous login local line aux 0 exec-timeout 5 0 password 7 094F471A1A0A160713 login line vty 0 4 exec-timeout 5 0 privilege level 15 password 7 104D000A0618041F15 login local transport input ssh ! scheduler allocate 20000 1000 end R1# Router R2 R2#sh run Building configuration... Current configuration : 1089 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R2 ! boot-start-marker boot-end-marker ! logging message-counter syslog ! no aaa new-model dot11 syslog ip source-route ! ip cef no ip domain lookup ! no ipv6 cef multilink bundle-name authenticated ! archive log config hidekeys ! interface FastEthernet0/0 no ip address shutdown duplex auto speed auto ! interface FastEthernet0/1 no ip address shutdown duplex auto speed auto ! interface Serial0/0/0 ip address 10.1.1.2 255.255.255.252 no fair-queue ! interface Serial0/0/1 ip address 10.2.2.2 255.255.255.252 clock rate 64000 ! interface Vlan1 no ip address ! ip forward-protocol nd ip route 192.168.1.0 255.255.255.0 10.1.1.1 ip route 192.168.3.0 255.255.255.0 10.2.2.1 no ip http server no ip http secure-server ! control-plane ! line con 0 line aux 0 line vty 0 4 login ! scheduler allocate 20000 1000 end R2# Router R3 R3#sh run Building configuration... Current configuration : 1856 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname R3 ! boot-start-marker boot-end-marker ! security passwords min-length 8 logging message-counter syslog enable secret 5 $1$ZKP6$m17lTmPnFb0ffRw5nn6vO1 ! no aaa new-model dot11 syslog ip source-route ! ip cef no ip domain lookup ip domain name ccnasecurity.com login block-for 60 attempts 2 within 30 login on-failure log every 2 ! no ipv6 cef multilink bundle-name authenticated ! username user01 password 7 09595D0C0B540713181F username user02 secret 5 $1$4dEG$m5EkFmKtgYERiQRgWwi5v. username admin privilege 15 secret 5 $1$bK1r$P/ctJGsHwscRaQGa8F/q50 archive log config hidekeys ! ip ssh time-out 90 ip ssh authentication-retries 2 ! interface FastEthernet0/0 no ip address shutdown duplex auto speed auto ! interface FastEthernet0/1 ip address 192.168.3.1 255.255.255.0 duplex auto speed auto ! interface Serial0/0/0 no ip address shutdown clock rate 2000000 interface Serial0/0/1 ip address 10.2.2.1 255.255.255.252 no fair-queue ! interface Vlan1 no ip address ! ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 10.2.2.2 no ip http server no ip http secure-server ! control-plane ! banner motd ^CUnauthorized access strictly prohibited and prosecuted to the ful l extent of the law^C ! line con 0 exec-timeout 5 0 password 7 104D000A0618110402 logging synchronous login local line aux 0 exec-timeout 5 0 password 7 094F471A1A0A160713 login line vty 0 4 exec-timeout 5 0 privilege level 15 password 7 104D000A0618041F15 login local transport input ssh ! scheduler allocate 20000 1000 end R1# Router configs added for Part 3 Routers R1 and R3 aaa new-model ! aaa session-id common parser view admin1 secret 5 $1$MWgB$WpAllwq5gjLB457F70p0M. commands exec include all configure terminal commands exec include configure commands exec include all show commands exec include all debug ! parser view admin2 secret 5 $1$E7M.$OQfsFG5u3/BO.J4PKZ6WK1 commands exec include all show ! parser view tech secret 5 $1$qZGu$SQzAqmLGtewUPjwRO06ls0 commands exec include show ip interface brief commands exec include show ip interface commands exec include show ip commands exec include show version commands exec include show parser view commands exec include show parser commands exec include show interfaces commands exec include show Router R2 – No change Router configs added for Part 4 Routers R1 and R3 ntp server 10.1.1.2 ntp update-calendar ip http server ntp server 10.1.1.2 ntp update-calendar Router R2 ntp master 3 Router configs after Part 5 Router R3 (after running AutoSecure) R3#sh run Building configuration... Current configuration : 2702 bytes ! version 12.4 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname R3 ! boot-start-marker boot-end-marker ! security authentication failure rate 10 log security passwords min-length 6 logging message-counter syslog logging buffered 4096 logging console critical enable secret 5 $1$i3H5$6JaGfJCExTLVatrVfPoUf/ enable password 7 14141B180F0B7E7E72 ! aaa new-model ! aaa authentication login local_auth local ! aaa session-id common dot11 syslog no ip source-route no ip gratuitous-arps ! ip cef no ip bootp server no ip domain lookup ip domain name ccnasecurity.com login block-for 60 attempts 2 within 30 ! no ipv6 cef multilink bundle-name authenticated ! username admin password 7 0822455D0A16544541 archive log config logging enable hidekeys ! ! ip tcp intercept list autosec_tcp_intercept_list ip tcp intercept connection-timeout 3600 ip tcp intercept watch-timeout 15 ip tcp intercept max-incomplete low 450 high 550 ip tcp intercept drop-mode random ip ssh time-out 60 ip ssh authentication-retries 2 ! interface FastEthernet0/0 no ip address no ip redirects no ip unreachables no ip proxy-arp shutdown duplex auto speed auto no mop enabled ! interface FastEthernet0/1 ip address 192.168.3.1 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp duplex auto speed auto no mop enabled ! interface FastEthernet0/1/0 ! interface FastEthernet0/1/1 ! interface FastEthernet0/1/2 ! interface FastEthernet0/1/3 ! interface Serial0/0/0 no ip address no ip redirects no ip unreachables no ip proxy-arp shutdown no fair-queue clock rate 2000000 ! interface Serial0/0/1 ip address 10.2.2.1 255.255.255.252 ip verify unicast source reachable-via rx allow-default 100 no ip redirects no ip unreachables no ip proxy-arp snmp trap ip verify drop-rate ! interface Vlan1 no ip address no ip redirects no ip unreachables no ip proxy-arp no mop enabled ! ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 10.2.2.2 no ip http server no ip http secure-server ! logging trap debugging logging facility local2 access-list 100 permit udp any any eq bootpc no cdp run ! control-plane ! banner motd ^C Unauthorized Access Prohibited ^C ! line con 0 exec-timeout 5 0 login authentication local_auth transport output telnet line aux 0 exec-timeout 15 0 login authentication local_auth transport output telnet line vty 0 4 login authentication local_auth transport input telnet ssh ! scheduler allocate 20000 1000 end R3# Directory: ~kotfid -> secvoice10 -> labs labs -> Chapter 3 Lab A, Securing Administrative Access Using aaa and radius instructor Version Download 392.14 Kb. Share with your friends:
| |||||||||||||||||||||||||||||||||||