CCNA Security All contents are Copyright © 1992 –2012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 6 of 9 Step 3: Create a user with privilege level 15. Routerconfig username admin privilege 15 password cisco12345 Step 4: Configure SSH and Telnet for local login. Routerconfig line vty 0 4 Routerconfig-line login local Routerconfig-line transport input telnet Routerconfig-line transport input telnet ssh Routerconfig-line exit Part 3: CCP Installation and Initial Setup Step 1: Install CCP Note: This section can be skipped if CCP is already installed on your PC. a. Download CCP 2.5 from Cisco’s website: http:www.cisco.comciscosoftwarerelease.html?mdfid=281795035softwareid=282159854release=2.5rellif ecycle=relind=AVAILABLEreltype=all b. Choose the file cisco-config-pro-k9-pkg-2_5-en.zip. Note: Be sure to select the correct CCP file and not CCP Express. If there is a more current release of CCP, you may choose to download it. However, the labs in this course are based on CCP 2.5. c. Agree to the terms and conditions and download and save the file to the desired location. d. Open the zip file and run the CCP executable. e. Follow the on-screen instructions to install CCP 2.5 on your PC. Note: If Cisco CP is installed on a PC that uses the Microsoft Windows Vista operating system or the Microsoft Windows 7 operating system, Cisco CP may fail to launch. Possible solutions: 1. Compatibility settings: a. Right click on the Cisco CP icon or menu item and select Properties. b. While in the Properties dialog box, select the Compatibility tab. In this tab, select the checkbox for Run this program in compatibility mode for. Then in the drop down menu below, choose Windows XP Service Pack 3 for example, if it is appropriate for your system.

c. Click OK. 2. Run as Administrator settings:

a. Right click on the Cisco CCP icon or menu item and select Properties. b. While in the Properties dialog box, select the Compatibility tab. In this tab, select the checkbox for Run this program as administrator in Privilege Level section. CCNA Security All contents are Copyright © 1992 –2012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 7 of 9

c. Click OK. 3. Run as Administrator for each launch:

b. For more information, please refer to the Cisco CP Quick Start Guide or search for “run as adm inistrator” for your operating system on the internet. Note: It may be necessary to temporarily disable antivirus programs and OS firewalls in order to run CCP. Step 2: Create Manage Communities CCP 2.5 can discover up to 10 devices in a community. If desired, the information for both R1 and R3 can be included in one community if the PC has network connectivity to the routers. Only R3 is discovered on PC-C in this section as an example.

a. On PC-C, start CCP: Start Cisco Configuration Professional.

b. In the Select Manage Community window, input into the appropriate fields the R3 IP address 192.168.3.1, the Username admin, and the Password cisco12345. c. Click OK to continue.

a. Right click on the Cisco CP icon or menu item and select Run as Administrator.

CCNA Security All contents are Copyright © 1992 –2012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 8 of 9 Step 3: Discovery Router Devices a. Click Discover on the Dashboard to discover and connect to R3. If discovery fails, click the Discovery Details button to determine the problem so that you can resolve the issue. b. Once the router has been discovered by CCP, you are ready to configure your Select Community Member. In this example, the Select Community Member is 192.168.3.1. CCNA Security All contents are Copyright © 1992 –2012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 9 of 9 Router Interface Summary Table Router Interface Summary Router Model Ethernet Interface 1 Ethernet Interface 2 Serial Interface 1 Serial Interface 2 1800 Fast Ethernet 00 Fa00 Fast Ethernet 01 Fa01 Serial 000 S000 Serial 001 S001 1900 Gigabit Ethernet 00 Fa00 Gigabit Ethernet 01 Fa01 Serial 000 S000 Serial 001 S001 2800 Fast Ethernet 00 Fa00 Fast Ethernet 01 Fa01 Serial 000 S000 Serial 001 S001 2900 Gigabit Ethernet 00 Fa00 Gigabit Ethernet 01 Fa01 Serial 000 S000 Serial 001 S001 Note: To find out how the router is configured, look at the interfaces to identify the type of router and how many interfaces the router has. There is no way to effectively list all the combinations of configurations for each router class. This table includes identifiers for the possible combinations of Ethernet and Serial interfaces in the device. The table does not include any other type of interface, even though a specific router may contain one. An example of this might be an ISDN BRI interface. The string in parenthesis is the legal abbreviation that can be used in Cisco IOS commands to represent the interface. All contents are Copyright © 1992 –2012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 1 of 5 CCNA Security

Chapter 1 Lab A: Researching Network Attacks and Security Audit Tools

Instructor Version Grey Highlighting – indicates answers provided on instructor lab copies only Objectives Part 1: Researching Network Attacks  Research network attacks that have occurred.  Select a network attack and develop a report for presentation to the class. Part 2: Researching Security Audit Tools  Research network security audit tools.  Select a tool and develop a report for presentation to the class. BackgroundScenario Network attacks have resulted in the loss of sensitive data and significant network downtime. When a network or the resources within it are inaccessible, worker productivity can suffer, and business income may be lost. Attackers have developed many tools over the years to attack and compromise the networks of organizations. These attacks take many forms, but in most cases, they seek to obtain sensitive information, destroy resources, or deny legitimate users access to resources. To understand how to defend a network against attacks, an administrator must first identify network vulnerabilities. Specialized security audit software developed by equipment and software manufacturers can be used to help identify potential weaknesses. In addition, the same tools used by attackers can be used to test the ability of a network to mitigate an attack. After the vulnerabilities are known, steps can be taken to help mitigate the network attacks. This lab provides a structured research project that is divided into two parts: Researching Network Attacks and Researching Security Audit Tools. You can elect to perform Part 1, Part 2, or both. Let your instructor know what you plan to do so to ensure that a variety of network attacks and vulnerability tools are reported on by the members of the class. In Part 1, you research various network attacks that have actually occurred. You select one of these and describe how the attack was perpetrated and how extensive the network outage or damage was. You also investigate how the attack could have been mitigated or what mitigation techniques might have been implemented to prevent future attacks. You prepare a report based on a predefined form included in the lab. In Part 2, you research network security audit tools and investigate one that can be used to identify host or network device vulnerabilities. You create a one-page summary of the tool based on a predefined form included in the lab. You prepare a short 5 –10 minute presentation to present to the class. You may work in teams of two with one person reporting on the network attack and the other reporting on the security audit tools. All team members deliver a short overview of their findings. You can use live demonstrations or PowerPoint to summarize your findings. CCNA Security All contents are Copyright © 1992 –2012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 2 of 5 Required Resources  Computer with Internet access for research.  Presentation computer with PowerPoint or other presentation software installed.  Video projector and screen for demonstrations and presentations. Instructor Note: To maintain tighter control over what the students report, you can provide the students a list of recent network attacks and security audit tools from which to choose. You might want to ask the students to email you their desired research project by a specific time, or you will assign them a topic. In the email, they should provide some background information description, links, and so on to make sure that no one is doing the same thing. Part 1. Researching Network Attacks In Part 1 of this lab, you research various network attacks that have actually occurred and select one on which to report. Fill in the form below based on your findings. Step 1: Research various network attacks. List some of the attacks you identified in your search. Possible examples include: Code Red, Nimba, Back Orifice, Blaster, MyDoom, SQL Slammer, SMURF, Tribe flood network TFN, Stacheldraht, Sobig, Netsky, Witty, and Storm. The Code Red attack is used as an example here. Instructor Note: An extensive list of viruses and worms listed by the year they were discovered can be found at http:en.wikipedia.orgwikiNotable_computer_viruses_and_worms . Step 2: Fill in the following form for the network attack selected. Name of attack: Code Red Type of attack: Worm Dates of attacks: July 2001 Computers Organizations affected: Infected an estimated 359,000 computers in one day. How it works and what it did: Instructor Note: Most of the following is from Wikipedia. Code Red exploited buffer-overflow vulnerabilities in unpatched Microsoft Internet Information Servers. It launched Trojan code in a denial-of-service attack against fixed IP addresses. The worm spread itself using a common type of vulnerability known as a buffer overflow . It used a long string repeating the character N to overflow a buffer, which then allowed the worm to execute arbitrary code and infect the machine. The payload of the worm included the following:  Defacing the affected website with the message: HELLO Welcome to http:www.worm.com CCNA Security All contents are Copyright © 1992 –2012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 3 of 5 Hacked By Chinese  It tried to spread itself by looking for more IIS servers on the Internet.  It waited 20–27 days after it was installed to launch DoS attacks on several fixed IP addresses. The IP address of the White House web server was among them.  When scanning for vulnerable machines, the worm did not check whether the server running on a remote machine was running a vulnerable version of IIS or whether it was running IIS at all. Mitigation options: To prevent the exploitation of the IIS vulnerability, organizations needed to apply the IIS patch from Microsoft. References and info links: CERT Advisory CA-2001-19 eEye Code Red advisory Code Red II analysis Presentation support graphics include PowerPoint filename or web links: Wikipedia, Animation on The Spread of the Code-Red Worm CRv2 . CAIDA Analysis. Retrieved on 2006-10-03. www.networkworld.comslideshows2008031108-worst-moments-in-net- security.html?nwwpkg=slideshows Part 2. Researching Security Audit Tools In Part 2 of this lab, you research network security audit tools and attacker tools and investigate one that can be used to identify host or network device vulnerabilities. Fill in the report below based on your findings. Step 1: Research various security audit and network attack tools. List some of the tools that you identified in your search. Possible examples include: Microsoft Baseline Security Analyzer MBSA, NMAP, Cisco IOS AutoSecure, Cisco Configuration Professional CCP Security Audit Wizard. Sourceforge Network Security Analysis Tool NSAT, Solarwinds Engineering Toolset. Attacker tools may also be investigated, including L0phtcrack, Cain and Abel, John the Ripper, Netcat, THC Hydra, Chkrootkit, DSniff, Nessus, AirSnort, AirCrack, WEPCrack. The CCP Security Audit tool is used as an example here. Instructor Note: Additional sources of information include the following: http:www.yolinux.comTUTORIALSLinuxSecurityTools.html Top Network Security Tools: http:sectools.org CCNA Security All contents are Copyright © 1992 –2012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 4 of 5 Password Crackers: http:sectools.orgcrackers.html Sniffers: http:sectools.orgsniffers.html Vulnerability Scanner: http:sectools.orgvuln-scanners.html Web Scanners: http:sectools.orgweb-scanners.html Wireless: http:sectools.orgwireless.html Exploitation: http:sectools.orgsploits.html Packet Crafters: http:sectools.orgtagpacket-crafters Step 2: Fill in the following form for the security audit or network attack tool selected. Name of tool: CCP Security Audit Developer: Cisco Systems Type of tool character-based or GUI: Cisco router GUI-based security analysis Used on network device or computer host: Router Cost: Free to download Description of key features and capabilities of product or tool: CCP Security Audit wizard runs a series of predefined checklists to assess the security configuration of a router. When finished, CCP presents a list of recommended actions, which you can selectively choose to apply. CCP also allows you to directly perform a one-step router lockdown option. One-step lockdown configures the router with a set of defined security features with recommended settings. Security Audit is a feature of CCP that examines an existing router configuration and then provides a list of recommended configuration changes to make a router and network more secure. For a complete list of functions that Security Audit checks for, see the online help topics in CCP. Security audit does the following:  Checks the router running configuration against a list of predefined security configuration settings  Lists identified problems and provides recommendations for fixing them  Allows the user to choose which problems to fix and displays the appropriate user interface for CCNA Security All contents are Copyright © 1992 –2012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 5 of 5 fixing them  Delivers commands to configure the router with the chosen security configuration Examples of security-related issues that Security Audit can address include services that should be disabled, password requirements, warning banners, Telnet settings, SSH access, firewalls, logging, and AAA. CCP and the Security Audit wizard provide context-sensitive help. References and info links: http:www.cisco.comenUSprodcollateralroutersps9422data_sheet_c78_462210.html Step 3: Reflection a. What is the prevalence of network attacks and what is their impact on the operation of an organization? What are some key steps organizations can take to help protect their networks and resources? Answers will vary. Massive network attacks like Code Red, which can affect large portions of the Internet, are less common because of mitigation strategies that have been implemented. However, smaller targeted attacks, especially those intended to acquire personal information, are more common than ever. Networking devices and hosts on a network have many potential vulnerabilities that can be exploited. Vulnerability analysis tools can help identify security holes so that network administrators can take steps to correct the problem before an attack occurs. Other steps that can be taken include the use of firewalls, intrusion detection and prevention, hardening of network devices, endpoint protection, AAA, user education and security policy development. b. Have you actually worked for an organization or know of one where the network was compromised? If so, what was the impact to the organization and what did it do about it? Answers will vary, and the results can be interesting. c. What steps can you take to protect your own PC or laptop computer? Answers will vary but could include keeping the operating system and applications up to date with patches and service packs, using a personal firewall, configuring passwords to access the system, configuring screensavers to timeout and requiring a password, protecting important files by making them read-only, encrypting confidential files and backup files for safe keeping. All contents are Copyright © 1992 –2012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 1 of 57 CCNA Security

Chapter 2 Lab A: Securing the Router for Administrative Access

Instructor Version Grey Highlighting – indicates answers provided on instructor lab copies only Topology Note: ISR G2 devices use GigabitEthernet interfaces instead of FastEthernet Interfaces. CCNA Security All contents are Copyright © 1992 –2012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 2 of 57 IP Addressing Table Device Interface IP Address Subnet Mask Default Gateway Switch Port R1 Fa01 192.168.1.1 255.255.255.0 NA S1 Fa05 S000 DCE 10.1.1.1 255.255.255.252 NA NA R2 S000 10.1.1.2 255.255.255.252 NA NA S001 DCE 10.2.2.2 255.255.255.252 NA NA R3 Fa01 192.168.3.1 255.255.255.0 NA S3 Fa05 S001 10.2.2.1 255.255.255.252 NA NA PC-A NIC 192.168.1.3 255.255.255.0 192.168.1.1 S1 Fa06 PC-C NIC 192.168.3.3 255.255.255.0 192.168.3.1 S3 Fa018 Objectives Part 1: Basic Network Device Configuration  Cable the network as shown in the topology.  Configure basic IP addressing for routers and PCs.  Configure static routing, including default routes.  Verify connectivity between hosts and routers. Part 2: Control Administrative Access for Routers  Configure and encrypt all passwords.  Configure a login warning banner.  Configure enhanced username password security.  Configure enhanced virtual login security.  Configure an SSH server on a router.  Configure an SSH client and verify connectivity. Part 3: Configure Administrative Roles  Create multiple role views and grant varying privileges.  Verify and contrast views. Part 4: Configure Cisco IOS Resilience and Management Reporting  Secure the Cisco IOS image and configuration files.  Configure a router as a synchronized time source for other devices using NTP.  Configure Syslog support on a router.  Install a Syslog server on a PC and enable it. CCNA Security All contents are Copyright © 1992 –2012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 3 of 57  Configure trap reporting on a router using SNMP.  Make changes to the router and monitor syslog results on the PC. Part 5: Configure Automated Security Features  Lock down a router using AutoSecure and verify the configuration.  Use the CCP Security Audit tool to identify vulnerabilities and to lock down services.  Contrast the AutoSecure configuration with CCP. BackgroundScenario The router is a key component that controls the movement of data into and out of the network and between devices within the network. It is particularly important to protect network routers because the failure of a routing device could make sections of the network or the entire network inaccessible. Controlling access to routers and enabling reporting on routers are critical to network security and should be part of a comprehensive security policy. In this lab, you build a multi-router network and configure the routers and hosts. You use various CLI and CCP tools to secure local and remote access to the routers, analyze potential vulnerabilities, and take steps to mitigate them. You also enable management reporting to monitor router configuration changes. The router commands and output in this lab are from Cisco 1841s using Cisco IOS software, release 12.420T advanced IP image. Other routers and Cisco IOS versions can be used. See the Router Interface Summary table at the end of the lab to determine which interface identifiers to use based on the equipment in the lab. Depending on the model of the router, the commands available and output produced may vary from what is shown in this lab. Note: Make sure that the routers and the switches have been erased and have no startup configurations. Instructor Note: Instructions for erasing switches and routers are provided in the Lab Manual, located on Academy Connection in the Tools section. Required Resources  3 routers Cisco 1841 with Cisco IOS software, release 12.420T1 or comparable  2 switches Cisco 2960 or comparable  PC-A: Windows XP, Vista, or Windows 7 with CCP 2.5, PuTTy SSH Client no ACS required  PC-C: Windows XP, Vista or Windows 7 with PuTTy SSH Client and Kiwi or Tftpd32 Syslog server  Serial and Ethernet cables as shown in the topology  Rollover cables to configure the routers via the console port CCP Notes:  Refer to Chp 00 Lab A for instructions on how to install and run CCP. Hardwaresoftware recommendations for CCP include Windows XP, Vista, or Windows 7 with Java version 1.6.0_11 up to 1.6.0_21, Internet Explorer 6.0 or above and Flash Player Version 10.0.12.36 and later.  If the PC on which CCP is installed is running Windows Vista or Windows 7, it may be necessary to right-click on the CCP icon or menu item, and choose Run as administrator. CCNA Security All contents are Copyright © 1992 –2012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 4 of 57  In order to run CCP, it may be necessary to temporarily disable antivirus programs and OS firewalls. Make sure that all pop-up blockers are turned off in the browser. Instructor Note: This lab is divided into five parts. Each part can be administered individually or in combination with others as time permits. The main goal is to configure various Cisco IOS and CCP security features on routers R1 and R3. R1 and R3 are on separate networks and communicate through R2, which simulates a connection to an ISP. Students can work in teams of two for router security configuration, one student configuring R1 and the other student configuring R3. Although switches are shown in the topology, students can omit the switches and use crossover cables between the PCs and routers R1 and R3. The basic running configs for all three routers are captured after Parts 1 and 2 of the lab are completed. The running config commands that are added in Parts 3 and 4 are captured and listed separately. The running configs generated by AutoSecure for R3 and CCP Security Audit for R1 in Part 5 of the lab are listed separately. All configs are found at the end of the lab. Part 1: Basic Router Configuration In Part 1 of this lab, you set up the network topology and configure basic settings such as interface IP addresses and static routing. Step 1: Cable the network. Attach the devices shown in the topology diagram and cable as necessary. Step 2: Configure basic settings for each router. a. Configure host names as shown in the topology. b. Configure interface IP addresses as shown in the IP Addressing Table. c. Configure a clock rate for routers with a DCE serial cable attached to their serial interface. Router R1 is shown here as an example. R1config i nterface S000 R1config-if clock rate 64000 d. To prevent the router from attempting to translate incorrectly entered commands as though they were host names, disable DNS lookup. Router R1 is shown here as an example. R1config no ip domain-lookup Step 3: Configure static routing on the routers. a. Configure a static default route from R1 to R2 and from R3 to R2. b. Configure a static route from R2 to the R1 LAN and from R2 to the R3 LAN. Step 4: Configure PC host IP settings. Configure a static IP address, subnet mask, and default gateway for PC-A and PC-C as shown in the IP Addressing Table. CCNA Security All contents are Copyright © 1992 –2012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 5 of 57 Step 5: Verify connectivity between PC-A and R3. a. Ping from R1 to R3. Were the ping results successful? Yes. If the pings are not successful, troubleshoot the basic device configurations before continuing. b. Ping from PC-A on the R1 LAN to PC-C on the R3 LAN. Were the ping results successful? Yes. If the pings are not successful, troubleshoot the basic device configurations before continuing. Note: If you can ping from PC-A to PC-C you have demonstrated that static routing is configured and functioning correctly. If you cannot ping but the device interfaces are up and IP addresses are correct, use the show run and show ip route commands to help identify routing protocol related problems. Step 6: Save the basic running configuration for each router. Use the Transfer Capture text option in HyperTerminal or some other method to capture the running configs for each router. Save the three files so that they can be used to restore configs later in the lab. Part 2: Control Administrative Access for Routers In Part 2 of this lab, you will:  Configure and encrypt passwords.  Configure a login warning banner.  Configure enhanced username password security.  Configure enhanced virtual login security.  Configure an SSH server on router R1 using the CLI.  Research terminal emulation client software and configure the SSH client. Note: Perform all tasks, on both R1 and R3. The procedures and output for R1 are shown here. Task 1: Configure and Encrypt Passwords on Routers R1 and R3 Step 1: Configure a minimum password length for all router passwords. Use the security passwords command to set a minimum password length of 10 characters. R1config security passwords min-length 10 Step 2: Configure the enable secret password. Configure the enable secret encrypted password on both routers. R1config enable secret cisco12345 How does configuring an enable secret password help protect a router from being compromised by an attack? CCNA Security All contents are Copyright © 1992 –2012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 6 of 57 The goal is to always prevent unauthorized users from accessing a device using Telnet, SSH, or via the console. If attackers are able to penetrate this first layer of defense, using an enable secret password prevents them from being able to alter the configuration of the device. Unless the enable secret password is known, a user cannot go into privileged EXEC mode where they can display the running config and enter various configuration commands to make changes to the router. This provides an additional layer of security. Step 3: Configure basic console, auxiliary port, and virtual access lines. Note: Passwords in this task are set to a minimum of 10 characters but are relatively simple for the benefit of performing the lab. More complex passwords are recommended in a production network.

a. Configure a console password and enable login for routers. For additional security, the exec-

timeout command causes the line to log out after 5 minutes of inactivity. The logging synchronous command prevents console messages from interrupting command entry. Note: To avoid repetitive logins during this lab, the exec-timeout command can be set to 0 0, which prevents it from expiring. However, this is not considered a good security practice. R1config line console 0 R1config-line password ciscocon R1config-line exec-timeout 5 0 R1config-line login R1config-line logging synchronous When you configured the password for the console line, what message was displayed? Password too short - must be at least 10 characters. Password configuration failed.

b. Configure a new password of ciscoconpass for the console.