Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks
Uploaded by thillrex

LAB4 (1)

advertisement 
Al-Hussein Technical University
Network Security Laboratory
Fall Semester 2021-2022
LAB 4
Configure Cisco Devices for Secure Password,
Syslog and SSH Operations
Addressing Table
Device
RTA
Interface
IP Address
Subnet Mask
G0/1
10.0.1.1
255.255.255.0
G0/0
192.168.20.1
255.255.255.0
SW1
VLAN 1
192.168.20.2
255.255.255.0
Syslog sever
NIC
10.0.1.254
255.255.255.0
PCA
NIC
192.168.20.3
255.255.255.0
NIC
192.168.20.4
255.255.255.0
R1
R1
LaptopA
Blank Line, No additional information
Scenario
In this activity, you will configure basic security for network devices (Router and Switch) and
secure the remote access to them. You will remote access the devices to enable and use the
Syslog service so that the network administrator is able to monitor the network more
effectively.
Al-Hussein Technical University
Network Security Laboratory
Fall Semester 2021-2022
Instructions
Part 1: Build the Network Topology
Build exactly the same topology that is shown below using Packet Tracer 8.1 software:
Part 2: Configure Basic Security on the Router and the Switch
Step 1: Configure Basic Security on RTA router.
a. Configure IP addressing on PCA, LaptopA and Syslog Server according to the
Addressing Table.
b. Console into RTA from the Terminal on PCA.
c. Configure the hostname as RTA.
Router(config)# hostname RTA
Al-Hussein Technical University
Network Security Laboratory
Fall Semester 2021-2022
d. Configure a password for the console line of RTA.
RTA(config)# line console 0
RTA(config-line)# password Pass12345
RTA(config-line)# login
e. Configure IP addressing on RTA according to the Addressing Table and enable the
interfaces.
f. Encrypt all plaintext passwords.
RTA(config)# service password-encryption
g.
Set the minimum password length to 10.
RTA(config)# security passwords min-length 10
h. Set a strong secret password for the Privileged Exec mode.
Note: Choose a password that you will remember, or you will need to reset the activity if
you are locked out of the device.
RTA(config)# enable secret cisco12345
i. Disable DNS lookup.
RTA(config)# no ip domain-lookup
j.
Set the domain name to netsec.com.
RTA(config)# ip domain-name netsec.com
k.
Create a user with a strong encrypted password (Example: Username: SSHuser ,
Password: SSHuserpass).
RTA(config)# username SSHUser secret SSHuserpass
Al-Hussein Technical University
Network Security Laboratory
Fall Semester 2021-2022
l. Generate 1024-bit RSA keys.
Note: In Packet Tracer, enter the crypto key generate rsa command and press Enter to
continue.
RTA(config)# crypto key generate rsa
The name for the keys will be: RTA.netsec.com
Choose the size of the key modulus in the range of 360 to 4096 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus [512]: 1024
m.
Block anyone for three minutes who fails to log in after four attempts within a two-minute
period.
RTA(config)# login block-for 180 attempts 4 within 120
n. Configure all VTY lines for SSH access and use the local user profiles for authentication.
RTA(config)# line vty 0 4
RTA(config-line)# transport input ssh
RTA(config-line)# login local
o. Set the EXEC mode timeout to 6 minutes on the VTY lines.
RTA(config-line)# exec-timeout 6
p. Save the configuration to NVRAM.
RTA# copy running-config startup-config
q. Access the command prompt on the desktop of PCA to establish an SSH connection
to RTA.
C:\> ssh /?
Packet Tracer PC SSH
Usage: SSH -l username target
C:\> SSH -1 SSHuser 192.168.20.1
Note: Leave the established SSH session open for Syslog configurations in the next part.
Al-Hussein Technical University
Network Security Laboratory
Fall Semester 2021-2022
Step 2: Configure Basic Security on S1 switch.
a. Console into SW1 from the Terminal on LaptopA.
b. Configure the hostname as SW1.
c. Configure IP addressing on SW1 VLAN1 and enable the interface.
SW1(config)# interface vlan1
SW1(config-if)# ip address 192.168.20.2
255.255.255.0
SW1(config-if)# no shutdown
d. Configure the default gateway address for SW1.
SW1(config)# ip default-gateway 192.168.20.1
e. Disable all unused switch ports.
Note: On a switch it is a good security practice to disable unused ports. One method of
doing this is to simply shut down each port with the ‘shutdown’ command. This would
require accessing each port individually. There is a shortcut method for making
modifications to several ports at once by using the interface range command.
On SW1 all ports except FastEthernet0/1, FastEthernet0/2 and GigabitEthernet0/1 can
be shutdown with the following command:
SW1(config)# interface range F0/3-24, G0/2
SW1(config-if-range)# shutdown
%LINK-5-CHANGED: Interface FastEthernet0/3, changed state to
administratively down
%LINK-5-CHANGED:
administratively
<Output omitted>
%LINK-5-CHANGED:
administratively
Interface FastEthernet0/4, changed state to
down
Interface FastEthernet0/24, changed state to
down
%LINK-5-CHANGED: Interface GigabitEthernet0/2, changed state to
administratively down
The command used the port range of 3-23 for the FastEthernet ports and then a single
port range of GigabitEthernet0/2.
Al-Hussein Technical University
Network Security Laboratory
Fall Semester 2021-2022
f.
Encrypt all plaintext passwords.
g. Set a strong secret password of your choosing.
h. Disable DNS lookup.
i.
Set the domain name to netsec.com
j.
Create a user of your choosing with a strong encrypted password.
k. Generate 1024-bit RSA keys.
l.
Configure all VTY lines for SSH access and use the local user profiles for authentication.
m. Set the EXEC mode timeout to 6 minutes on all VTY lines.
n. Save the configuration to NVRAM.
o. Access the command prompt on the desktop of LaptopA to establish an SSH connection
to SW1.
C:\>
SSH -l SSHuser 192.168.20.2
Note: Leave the established SSH session open for Syslog configurations in the next part.
Part 3: Configure Syslog Service
Step 1: Enable the Syslog service.
a. Click on the Syslog server, then click on Services tab.
b. Turn the Syslog service on and move the window so you can monitor activity.
Step 2: Step 2: Configure the intermediary devices to use the Syslog service.
a. From the remote SSH session, configure RTA to send log events to the Syslog server.
RTA(config)# logging 10.0.1.254
b. From the remote SSH session, configure SW1 to send log events to the Syslog server.
SW1(config)# logging 10.0.1.254
Al-Hussein Technical University
Network Security Laboratory
Fall Semester 2021-2022
Part 4: Generate Logged Events
Step 1: Change the status of interfaces to create event logs.
a. Within the established SSH session, configure a Loopback 0 interface on RTA then
disable it.
RTA(config)# interface loopback 0
RTA(config-if)# ip address 192.168.50.7 255.255.255.0
RTA(config-if)# shutdown
b. Turn off PCA and LaptopA. Turn them on again.
Step 2: Examine the Syslog events.
a. Look at the Syslog events.
Note: All the events have been recorded; however, the time stamps are incorrect. You
may need to click inside the cells to see the messages.
b. Clear the log before proceeding to the next part (Click on the clear log button that
appears on syslog window).
Part 5: Manually Set Router and Switch Clocks
The clocks can be set manually on the routers and switches. In this part, you will set the
clocks on the RTA and SW1 manually and configure the switches to send the timestamps
with logs to the syslog server.
Step 1: View the date and time on the switch.
a. After the PCA and LaptopA have finished reloading, establish the SSH sessions to the
network devices again as necessary.
b. View the current time set on the clock.
RTA# show clock
SW1# show clock
Al-Hussein Technical University
Network Security Laboratory
Fall Semester 2021-2022
Step 2: Manually set the clocks on the router and switch.
From the established SSH session, manually set the clock on RTA and SW1 to the current
date and approximate time. An example is provided.
RTA# clock set 09:00:00 November 11 2021
Step 3: Enable the logging timestamp service on the router and switch.
Configure RTA and SW1 to send its timestamp with logs it sends to the Syslog server via the
established SSH session. An example is provided
SW1(config)# service timestamps log datetime msec
Part 6: Verify Timestamped Logs
Step 1: Change the status of interfaces to create event logs.
a. Re-enable and then disable the Loopback 0 interface on RTA.
b. Turn off PCA and LaptopA. Turn them on again.
Step 2: Examine the Syslog events.
Look at the Syslog events.
Note: All the events should have been recorded and their time stamps should be correct as
configured.
Related documents
rta board room, second floor
rta board room, second floor
SEARCH EXEMPTION REQUEST FORM ( For Teaching and A/P Faculty only)
SEARCH EXEMPTION REQUEST FORM ( For Teaching and A/P Faculty only)
Agenda - the New Orleans Regional Transit Authority
Agenda - the New Orleans Regional Transit Authority
Download
advertisement