CCNA Security
All contents are Copyright © 1992 –2012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 6 of 9
Step 3: Create a user with privilege level 15.
Routerconfig username admin privilege 15 password cisco12345
Step 4: Configure SSH and Telnet for local login.
Routerconfig line vty 0 4
Routerconfig-line
login local
Routerconfig-line transport input telnet
Routerconfig-line transport input telnet ssh
Routerconfig-line
exit
Part 3: CCP Installation and Initial Setup
Step 1: Install CCP
Note: This section can be skipped if CCP is already installed on your PC.
a. Download CCP 2.5 from Cisco’s website:
http:www.cisco.comciscosoftwarerelease.html?mdfid=281795035softwareid=282159854release=2.5rellif ecycle=relind=AVAILABLEreltype=all
b. Choose the file cisco-config-pro-k9-pkg-2_5-en.zip. Note: Be sure to select the correct CCP file and not CCP Express. If there is a more current release of
CCP, you may choose to download it. However, the labs in this course are based on CCP 2.5. c. Agree to the terms and conditions and download and save the file to the desired location.
d. Open the zip file and run the CCP executable. e. Follow the on-screen instructions to install CCP 2.5 on your PC.
Note: If Cisco CP is installed on a PC that uses the Microsoft Windows Vista operating system or the Microsoft Windows 7 operating system, Cisco CP may fail to launch.
Possible solutions:
1. Compatibility settings:
a. Right click on the Cisco CP icon or menu item and select Properties. b. While in the Properties dialog box, select the Compatibility tab. In this tab, select the
checkbox for Run this program in compatibility mode for. Then in the drop down menu below, choose Windows XP Service Pack 3 for example, if it is appropriate for your
system.
c. Click OK. 2. Run as Administrator settings:
a. Right click on the Cisco CCP icon or menu item and select Properties. b. While in the Properties dialog box, select the Compatibility tab. In this tab, select the
checkbox for Run this program as administrator in Privilege Level section.
CCNA Security
All contents are Copyright © 1992 –2012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 7 of 9
c. Click OK. 3. Run as Administrator for each launch:
b. For more information, please refer to the Cisco CP Quick Start Guide
or search for “run as adm
inistrator” for your operating system on the internet.
Note: It may be necessary to temporarily disable antivirus programs and OS firewalls in order to run CCP.
Step 2: Create Manage Communities
CCP 2.5 can discover up to 10 devices in a community. If desired, the information for both R1 and R3 can be included in one community if the PC has network connectivity to the routers. Only R3 is discovered on PC-C
in this section as an example.
a. On PC-C, start CCP: Start Cisco Configuration Professional.
b. In the Select Manage Community window, input into the appropriate fields the R3 IP address
192.168.3.1, the Username admin, and the Password cisco12345. c. Click OK to continue.
a. Right click on the Cisco CP icon or menu item and select Run as Administrator.
CCNA Security
All contents are Copyright © 1992 –2012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 8 of 9
Step 3: Discovery Router Devices
a. Click Discover on the Dashboard to discover and connect to R3. If discovery fails, click the Discovery Details button to determine the problem so that you can resolve the issue.
b. Once the router has been discovered by CCP, you are ready to configure your Select Community Member. In this example, the Select Community Member is 192.168.3.1.
CCNA Security
All contents are Copyright © 1992 –2012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 9 of 9
Router Interface Summary Table
Router Interface Summary
Router Model Ethernet Interface 1
Ethernet Interface 2
Serial Interface 1
Serial Interface 2
1800 Fast Ethernet 00
Fa00 Fast Ethernet 01
Fa01 Serial 000
S000 Serial 001
S001 1900
Gigabit Ethernet 00 Fa00
Gigabit Ethernet 01 Fa01
Serial 000 S000
Serial 001 S001
2800 Fast Ethernet 00
Fa00 Fast Ethernet 01
Fa01 Serial 000
S000 Serial 001
S001 2900
Gigabit Ethernet 00 Fa00
Gigabit Ethernet 01 Fa01
Serial 000 S000
Serial 001 S001
Note: To find out how the router is configured, look at the interfaces to identify the type of router and how many interfaces the router has. There is no way to effectively list all the combinations of
configurations for each router class. This table includes identifiers for the possible combinations of Ethernet and Serial interfaces in the device. The table does not include any other type of interface,
even though a specific router may contain one. An example of this might be an ISDN BRI interface. The string in parenthesis is the legal abbreviation that can be used in Cisco IOS commands to
represent the interface.
All contents are Copyright © 1992 –2012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 1 of 5
CCNA Security
Chapter 1 Lab A: Researching Network Attacks and Security Audit Tools
Instructor Version
Grey Highlighting – indicates answers provided on instructor lab copies only
Objectives
Part 1: Researching Network Attacks
Research network attacks that have occurred. Select a network attack and develop a report for presentation to the class.
Part 2: Researching Security Audit Tools
Research network security audit tools. Select a tool and develop a report for presentation to the class.
BackgroundScenario
Network attacks have resulted in the loss of sensitive data and significant network downtime. When a network or the resources within it are inaccessible, worker productivity can suffer, and business income may be lost.
Attackers have developed many tools over the years to attack and compromise the networks of organizations. These attacks take many forms, but in most cases, they seek to obtain sensitive information, destroy
resources, or deny legitimate users access to resources.
To understand how to defend a network against attacks, an administrator must first identify network vulnerabilities. Specialized security audit software developed by equipment and software manufacturers can
be used to help identify potential weaknesses. In addition, the same tools used by attackers can be used to test the ability of a network to mitigate an attack. After the vulnerabilities are known, steps can be taken to
help mitigate the network attacks.
This lab provides a structured research project that is divided into two parts: Researching Network Attacks and Researching Security Audit Tools. You can elect to perform Part 1, Part 2, or both. Let your instructor
know what you plan to do so to ensure that a variety of network attacks and vulnerability tools are reported on by the members of the class.
In Part 1, you research various network attacks that have actually occurred. You select one of these and describe how the attack was perpetrated and how extensive the network outage or damage was. You also
investigate how the attack could have been mitigated or what mitigation techniques might have been implemented to prevent future attacks. You prepare a report based on a predefined form included in the lab.
In Part 2, you research network security audit tools and investigate one that can be used to identify host or network device vulnerabilities. You create a one-page summary of the tool based on a predefined form
included in the lab. You prepare a short 5 –10 minute presentation to present to the class.
You may work in teams of two with one person reporting on the network attack and the other reporting on the security audit tools. All team members deliver a short overview of their findings. You can use live
demonstrations or PowerPoint to summarize your findings.
CCNA Security
All contents are Copyright © 1992 –2012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 2 of 5
Required Resources
Computer with Internet access for research. Presentation computer with PowerPoint or other presentation software installed.
Video projector and screen for demonstrations and presentations.
Instructor Note: To maintain tighter control over what the students report, you can provide the students a list of recent network attacks and security audit tools from which to choose. You might want to ask the students to
email you their desired research project by a specific time, or you will assign them a topic. In the email, they should provide some background information description, links, and so on to make sure that no one is doing
the same thing.
Part 1. Researching Network Attacks
In Part 1 of this lab, you research various network attacks that have actually occurred and select one on which to report. Fill in the form below based on your findings.
Step 1: Research various network attacks.
List some of the attacks you identified in your search. Possible examples include: Code Red, Nimba, Back Orifice, Blaster, MyDoom, SQL Slammer, SMURF, Tribe
flood network TFN, Stacheldraht, Sobig, Netsky, Witty, and Storm. The Code Red attack is used as an example here.
Instructor Note: An extensive list of viruses and worms listed by the year they were discovered can be found at
http:en.wikipedia.orgwikiNotable_computer_viruses_and_worms .
Step 2: Fill in the following form for the network attack selected.
Name of attack: Code Red
Type of attack: Worm
Dates of attacks:
July 2001
Computers Organizations affected:
Infected an estimated 359,000 computers in one day.
How it works and what it did: Instructor Note: Most of the following is from Wikipedia.
Code Red exploited buffer-overflow vulnerabilities in unpatched Microsoft Internet Information Servers. It launched Trojan code in a denial-of-service attack against fixed IP addresses. The
worm spread itself using a common type of vulnerability known as a buffer overflow
. It used a long string repeating the character N to overflow a buffer, which then allowed the worm to execute
arbitrary code and infect the machine. The payload of the worm included the following:
Defacing the affected website with the message: HELLO Welcome to http:www.worm.com
CCNA Security
All contents are Copyright © 1992 –2012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 3 of 5
Hacked By Chinese It tried to spread itself by looking for more IIS servers on the Internet.
It waited 20–27 days after it was installed to launch DoS attacks on several fixed IP addresses. The IP address of the White House web server was among them.
When scanning for vulnerable machines, the worm did not check whether the server running on a remote machine was running a vulnerable version of IIS or whether it was running IIS at
all.
Mitigation options:
To prevent the exploitation of the IIS vulnerability, organizations needed to apply the IIS patch from Microsoft.
References and info links:
CERT Advisory CA-2001-19 eEye Code Red advisory
Code Red II analysis
Presentation support graphics include PowerPoint filename or web links:
Wikipedia, Animation on The Spread of the Code-Red Worm CRv2
. CAIDA Analysis. Retrieved on 2006-10-03.
www.networkworld.comslideshows2008031108-worst-moments-in-net- security.html?nwwpkg=slideshows
Part 2. Researching Security Audit Tools
In Part 2 of this lab, you research network security audit tools and attacker tools and investigate one that can be used to identify host or network device vulnerabilities. Fill in the report below based on your findings.
Step 1: Research various security audit and network attack tools.
List some of the tools that you identified in your search. Possible examples include: Microsoft Baseline Security Analyzer MBSA, NMAP, Cisco IOS AutoSecure,
Cisco Configuration Professional CCP Security Audit Wizard. Sourceforge Network Security Analysis Tool NSAT, Solarwinds Engineering Toolset.
Attacker tools may also be investigated, including L0phtcrack, Cain and Abel, John the Ripper, Netcat, THC Hydra, Chkrootkit, DSniff, Nessus, AirSnort, AirCrack, WEPCrack.
The CCP Security Audit tool is used as an example here.
Instructor Note: Additional sources of information include the following:
http:www.yolinux.comTUTORIALSLinuxSecurityTools.html
Top Network Security Tools:
http:sectools.org
CCNA Security
All contents are Copyright © 1992 –2012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 4 of 5
Password Crackers:
http:sectools.orgcrackers.html
Sniffers:
http:sectools.orgsniffers.html
Vulnerability Scanner:
http:sectools.orgvuln-scanners.html
Web Scanners:
http:sectools.orgweb-scanners.html
Wireless:
http:sectools.orgwireless.html
Exploitation:
http:sectools.orgsploits.html
Packet Crafters:
http:sectools.orgtagpacket-crafters
Step 2: Fill in the following form for the security audit or network attack tool selected.
Name of tool: CCP Security Audit
Developer: Cisco Systems
Type of tool character-based or GUI: Cisco router GUI-based security
analysis
Used on network device or computer host: Router
Cost: Free to download
Description of key features and capabilities of product or tool:
CCP Security Audit wizard runs a series of predefined checklists to assess the security configuration of a router. When finished, CCP presents a list of recommended actions, which you
can selectively choose to apply. CCP also allows you to directly perform a one-step router lockdown option. One-step lockdown configures the router with a set of defined security features
with recommended settings.
Security Audit is a feature of CCP that examines an existing router configuration and then provides a list of recommended configuration changes to make a router and network more secure. For a
complete list of functions that Security Audit checks for, see the online help topics in CCP.
Security audit does the following: Checks the router running configuration against a list of predefined security configuration
settings Lists identified problems and provides recommendations for fixing them
Allows the user to choose which problems to fix and displays the appropriate user interface for
CCNA Security
All contents are Copyright © 1992 –2012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 5 of 5
fixing them Delivers commands to configure the router with the chosen security configuration
Examples of security-related issues that Security Audit can address include services that should be disabled, password requirements, warning banners, Telnet settings, SSH access, firewalls,
logging, and AAA. CCP and the Security Audit wizard provide context-sensitive help.
References and info links:
http:www.cisco.comenUSprodcollateralroutersps9422data_sheet_c78_462210.html
Step 3: Reflection
a. What is the prevalence of network attacks and what is their impact on the operation of an organization? What are some key steps organizations can take to help protect their networks and
resources? Answers will vary. Massive network attacks like Code Red, which can affect large portions of the
Internet, are less common because of mitigation strategies that have been implemented. However, smaller targeted attacks, especially those intended to acquire personal information, are more
common than ever. Networking devices and hosts on a network have many potential vulnerabilities that can be exploited.
Vulnerability analysis tools can help identify security holes so that network administrators can take steps to correct the problem before an attack occurs. Other steps that can be taken include the use of
firewalls, intrusion detection and prevention, hardening of network devices, endpoint protection, AAA, user education and security policy development.
b. Have you actually worked for an organization or know of one where the network was compromised? If so, what was the impact to the organization and what did it do about it?
Answers will vary, and the results can be interesting. c. What steps can you take to protect your own PC or laptop computer?
Answers will vary but could include keeping the operating system and applications up to date with patches and service packs, using a personal firewall, configuring passwords to access the system,
configuring screensavers to timeout and requiring a password, protecting important files by making them read-only, encrypting confidential files and backup files for safe keeping.
All contents are Copyright © 1992 –2012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 1 of 57
CCNA Security
Chapter 2 Lab A: Securing the Router for Administrative Access
Instructor Version
Grey Highlighting – indicates answers provided on instructor lab copies only
Topology
Note: ISR G2 devices use GigabitEthernet interfaces instead of FastEthernet Interfaces.
CCNA Security
All contents are Copyright © 1992 –2012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 2 of 57
IP Addressing Table
Device Interface
IP Address Subnet Mask
Default Gateway Switch Port
R1 Fa01
192.168.1.1 255.255.255.0
NA S1 Fa05
S000 DCE 10.1.1.1 255.255.255.252
NA NA
R2 S000
10.1.1.2 255.255.255.252
NA NA
S001 DCE 10.2.2.2 255.255.255.252
NA NA
R3 Fa01
192.168.3.1 255.255.255.0
NA S3 Fa05
S001 10.2.2.1
255.255.255.252 NA
NA PC-A
NIC 192.168.1.3
255.255.255.0 192.168.1.1
S1 Fa06 PC-C
NIC 192.168.3.3
255.255.255.0 192.168.3.1
S3 Fa018
Objectives
Part 1: Basic Network Device Configuration
Cable the network as shown in the topology. Configure basic IP addressing for routers and PCs.
Configure static routing, including default routes. Verify connectivity between hosts and routers.
Part 2: Control Administrative Access for Routers
Configure and encrypt all passwords. Configure a login warning banner.
Configure enhanced username password security. Configure enhanced virtual login security.
Configure an SSH server on a router. Configure an SSH client and verify connectivity.
Part 3: Configure Administrative Roles
Create multiple role views and grant varying privileges. Verify and contrast views.
Part 4: Configure Cisco IOS Resilience and Management Reporting
Secure the Cisco IOS image and configuration files. Configure a router as a synchronized time source for other devices using NTP.
Configure Syslog support on a router. Install a Syslog server on a PC and enable it.
CCNA Security
All contents are Copyright © 1992 –2012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 3 of 57
Configure trap reporting on a router using SNMP. Make changes to the router and monitor syslog results on the PC.
Part 5: Configure Automated Security Features
Lock down a router using AutoSecure and verify the configuration. Use the CCP Security Audit tool to identify vulnerabilities and to lock down services.
Contrast the AutoSecure configuration with CCP.
BackgroundScenario
The router is a key component that controls the movement of data into and out of the network and between devices within the network. It is particularly important to protect network routers because the failure of a
routing device could make sections of the network or the entire network inaccessible. Controlling access to routers and enabling reporting on routers are critical to network security and should be part of a
comprehensive security policy.
In this lab, you build a multi-router network and configure the routers and hosts. You use various CLI and CCP tools to secure local and remote access to the routers, analyze potential vulnerabilities, and take steps
to mitigate them. You also enable management reporting to monitor router configuration changes.
The router commands and output in this lab are from Cisco 1841s using Cisco IOS software, release 12.420T advanced IP image. Other routers and Cisco IOS versions can be used. See the Router Interface
Summary table at the end of the lab to determine which interface identifiers to use based on the equipment in the lab. Depending on the model of the router, the commands available and output produced may vary from
what is shown in this lab.
Note: Make sure that the routers and the switches have been erased and have no startup configurations. Instructor Note:
Instructions for erasing switches and routers are provided in the Lab Manual, located on Academy Connection in the Tools section.
Required Resources
3 routers Cisco 1841 with Cisco IOS software, release 12.420T1 or comparable 2 switches Cisco 2960 or comparable
PC-A: Windows XP, Vista, or Windows 7 with CCP 2.5, PuTTy SSH Client no ACS required PC-C: Windows XP, Vista or Windows 7 with PuTTy SSH Client and Kiwi or Tftpd32 Syslog server
Serial and Ethernet cables as shown in the topology Rollover cables to configure the routers via the console port
CCP Notes:
Refer to Chp 00 Lab A for instructions on how to install and run CCP. Hardwaresoftware recommendations for CCP include Windows XP, Vista, or Windows 7 with Java version 1.6.0_11 up
to 1.6.0_21, Internet Explorer 6.0 or above and Flash Player Version 10.0.12.36 and later. If the PC on which CCP is installed is running Windows Vista or Windows 7, it may be necessary to
right-click on the CCP icon or menu item, and choose Run as administrator.
CCNA Security
All contents are Copyright © 1992 –2012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 4 of 57
In order to run CCP, it may be necessary to temporarily disable antivirus programs and OS firewalls. Make sure that all pop-up blockers are turned off in the browser.
Instructor Note: This lab is divided into five parts. Each part can be administered individually or in combination with others as time
permits. The main goal is to configure various Cisco IOS and CCP security features on routers R1 and R3. R1 and R3 are on separate networks and communicate through R2, which simulates a connection to an ISP.
Students can work in teams of two for router security configuration, one student configuring R1 and the other student configuring R3.
Although switches are shown in the topology, students can omit the switches and use crossover cables between the PCs and routers R1 and R3.
The basic running configs for all three routers are captured after Parts 1 and 2 of the lab are completed. The running config commands that are added in Parts 3 and 4 are captured and listed separately. The running configs
generated by AutoSecure for R3 and CCP Security Audit for R1 in Part 5 of the lab are listed separately. All configs are found at the end of the lab.
Part 1: Basic Router Configuration
In Part 1 of this lab, you set up the network topology and configure basic settings such as interface IP addresses and static routing.
Step 1: Cable the network.
Attach the devices shown in the topology diagram and cable as necessary.
Step 2: Configure basic settings for each router.
a. Configure host names as shown in the topology. b. Configure interface IP addresses as shown in the IP Addressing Table.
c. Configure a clock rate for routers with a DCE serial cable attached to their serial interface. Router R1 is shown here as an example.
R1config i
nterface S000
R1config-if clock rate 64000
d. To prevent the router from attempting to translate incorrectly entered commands as though they were host names, disable DNS lookup. Router R1 is shown here as an example.
R1config no ip domain-lookup
Step 3: Configure static routing on the routers.
a. Configure a static default route from R1 to R2 and from R3 to R2. b. Configure a static route from R2 to the R1 LAN and from R2 to the R3 LAN.
Step 4: Configure PC host IP settings.
Configure a static IP address, subnet mask, and default gateway for PC-A and PC-C as shown in the IP Addressing Table.
CCNA Security
All contents are Copyright © 1992 –2012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 5 of 57
Step 5: Verify connectivity between PC-A and R3.
a. Ping from R1 to R3. Were the ping results successful? Yes.
If the pings are not successful, troubleshoot the basic device configurations before continuing. b. Ping from PC-A on the R1 LAN to PC-C on the R3 LAN.
Were the ping results successful? Yes. If the pings are not successful, troubleshoot the basic device configurations before continuing.
Note: If you can ping from PC-A to PC-C you have demonstrated that static routing is configured and functioning correctly. If you cannot ping but the device interfaces are up and IP addresses are correct,
use the show run and show ip route commands to help identify routing protocol related problems.
Step 6: Save the basic running configuration for each router.
Use the Transfer Capture text option in HyperTerminal or some other method to capture the running configs for each router. Save the three files so that they can be used to restore configs later in the lab.
Part 2: Control Administrative Access for Routers
In Part 2 of this lab, you will: Configure and encrypt passwords.
Configure a login warning banner. Configure enhanced username password security.
Configure enhanced virtual login security. Configure an SSH server on router R1 using the CLI.
Research terminal emulation client software and configure the SSH client.
Note: Perform all tasks, on both R1 and R3. The procedures and output for R1 are shown here.
Task 1: Configure and Encrypt Passwords on Routers R1 and R3
Step 1: Configure a minimum password length for all router passwords.
Use the security passwords command to set a minimum password length of 10 characters.
R1config security passwords min-length 10
Step 2: Configure the enable secret password.
Configure the enable secret encrypted password on both routers. R1config
enable secret cisco12345
How does configuring an enable secret password help protect a router from being compromised by an attack?
CCNA Security
All contents are Copyright © 1992 –2012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 6 of 57
The goal is to always prevent unauthorized users from accessing a device using Telnet, SSH, or via the console. If attackers are able to penetrate this first layer of defense, using an enable secret password
prevents them from being able to alter the configuration of the device. Unless the enable secret password is known, a user cannot go into privileged EXEC mode where they can display the running config and
enter various configuration commands to make changes to the router. This provides an additional layer of security.
Step 3: Configure basic console, auxiliary port, and virtual access lines.
Note: Passwords in this task are set to a minimum of 10 characters but are relatively simple for the benefit of performing the lab. More complex passwords are recommended in a production network.
a. Configure a console password and enable login for routers. For additional security, the exec-
timeout command causes the line to log out after 5 minutes of inactivity. The logging synchronous command prevents console messages from interrupting command entry.
Note: To avoid repetitive logins during this lab, the exec-timeout command can be set to 0 0, which prevents it from expiring. However, this is not considered a good security practice.
R1config
line console 0
R1config-line password ciscocon
R1config-line exec-timeout 5 0
R1config-line
login
R1config-line logging synchronous
When you configured the password for the console line, what message was displayed? Password too short - must be at least 10 characters. Password configuration failed.
b. Configure a new password of ciscoconpass for the console.