CCNASecurity

SkillsBasedAssessment
Topology

IP Addressing Table
Device R1 R2 R3 S1 S2 S3 PC-A PC-B PC-C Interface FA0/1 S0/0/0 (DCE) S0/0/0 S0/0/1 (DCE) FA0/1 S0/0/1 VLAN 1 VLAN 1 VLAN 1 NIC NIC NIC IP Address 172.16.1.1 10.10.10.1 10.10.10.2 10.20.20.2 172.16.3.1 10.20.20.1 172.16.1.11 172.16.1.12 172.16.3.11 172.16.1.3 172.16.1.2 172.16.3.3 Subnet Mask 255.255.255.0 255.255.255.252 255.255.255.252 255.255.255.252 255.255.255.0 255.255.255.252 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 Default Gateway N/A N/A N/A N/A N/A N/A 172.16.1.1 172.16.1.1 172.16.3.1 172.16.1.1 172.16.1.1 172.16.3.1 Switch Port S1 FA0/5 N/A N/A N/A S3 FA0/5 N/A N/A N/A N/A S1 FA0/6 S2 FA0/18 S3 FA0/18

All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.

Page 1 of 3

CCNA Security

Part1:BuildtheNetworkandConfigureBasicSettingstoCreatetheTestingEnvironment.
Step1:Cablethenetworkasshowninthetopology. Step2:Configurebasicsettingsforallrouters,switchesandhosts. a) Configurehostnames b) ConfiguretheinterfaceIPaddresses. c) Configureaclocks. d) DisableDNSlookup. e) ConfiguretheIPdefaultgatewayforeachofthethreeswitches Step3:Configurestaticdefaultroutesonedgerouters. Step4:ConfigurestaticroutesontheISProuter(R2). Step5:VerifyconnectivitybetweenPCAandPCC. Step6:Savethebasicrunningconfigurationforeachrouterandswitch. [1] [1] [1] [1] [1] [1] [1] [1] [1] [1]

Part2:SecureNetworkRouters
Task1:ConfigurePasswordsandaLoginBanner.
Step1:Configureaminimumpasswordlengthof10charactersonallrouters. [1] Step2:Configuretheenablesecretpasswordonallrouters. Useanenablesecretpasswordofciscoenapa55. [1] Step3:Encryptplaintextpasswords. [1] Step4:Configuretheconsolelinesonallrouters. Configureaconsolepasswordofciscoconpa55andenablelogin.Settheexectimeouttologoutafter5 minutesofinactivity.Preventconsolemessagesfrominterruptingcommandentry. [1] Step5:Configurethevtylinesonallrouters. Configureavtylinespasswordofciscovtypa55andenablelogin.Settheexectimeouttologoutafter5 minutesofinactivity. [1] Step6:Configurealoginwarningbanneronallrouters. Unauthorizedaccessstrictlyprohibitedandprosecutedtothefullextentofthelaw!. [1]

Task2:ConfigureLocalAuthenticationUsingAAAonR1andR3.
Step1:ConfigurethelocaluserdatabaseonR1. CreatealocaluseraccountofAdmin01withasecretpasswordofAdmin01pa55. [1] Step2:EnableAAAservicesonR1. [1] Step3:ImplementAAAservicesusingthelocaldatabaseonR1. [1] a) Createthedefaultloginauthenticationmethodlistusinglocalauthenticationasthefirstoptionandthe enablepasswordasthebackupoption. b) Exittotheinitialrouterscreenthatdisplays:R1con0isnowavailable,PressRETURNtogetstarted. c) LogintotheconsoleasAdmin01withapasswordofAdmin01pa55toverifythatAAAwithlocal authenticationisfunctioningcorrectly. d) Exittotheinitialrouterscreenthatdisplays:R1con0isnowavailable,PressRETURNtogetstarted. e) Attempttologintotheconsoleasbaduserwithabadpasswordtoverifythatusersnotdefinedinthe localrouterdatabasearedeniedaccess. Step4:RepeatSteps1through3toconfigureAAAwithlocalauthenticationonR3. [3]

Task3:ConfiguretheSSHServeronRoutersR1andR3.
Step1:Configurethedomainnameccnasecurity.comonR1. Step2:ConfiguretheincomingvtylinesonR1. [1] [2]

Specifyaprivilegelevelof15sothatauserwiththehighestprivilegelevel(15)willdefaulttoprivileged EXECmodewhenaccessingthevtylines.OtheruserswilldefaulttouserEXECmode.Specifythatthevty lineswillacceptonlySSHconnections. Step3:GeneratetheRSAencryptionkeypairforrouterR1. ConfiguretheRSAkeyswith1024asthenumberofmodulusbits. Step4:VerifySSHconnectivitytoR1fromR2. Step5:RepeatSteps1through4toconfigureSSHonR3andtesttheconnectionfromR2toR3. [1] [1] [5]

Task4:SecureagainstloginattacksonR1andR3.
All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 2 of 3

CCNA Security Step1:ConfigurethefollowingparametersonR1toprovideenhancedloginsecurityforvirtuallogins. [2] Blockingperiodwhenloginattackdetected:60 Maximumloginfailureswiththedevice:2 Maximumtimeperiodforcrossingthefailedloginattempts:30 Logallfailedloginattempts Step2:SavetherunningconfigurationtothestartupconfigurationforR1. Step3:Repeatsteps1and2toconfigureenhancedloginsecurityforvirtualloginsforrouterR3. [2]

Task5:ConfigureaZonebasedPolicyFirewall(ZPF)FirewallonR1.
Step1:Definezones Step2:Defineclasstype(http,icmp) Step3:Definepolicymap Step4:Definethezonepairs Step5:Applythezonestotheinterfaces Step6:VerifyZPFfunctionality. [2] [2] [2] [2] [2] [2] [1] [2] [1] [2] [1] [1]

Task6:ConfigureIPSonR1.
Step1:CreateanIOSIPSConfigurationDirectoryinFlash. Step2:EnableIOSIPS. a) IdentifytheIPSrulenameandspecifythelocation. b) Enableloggingeventnotification. c) Configurethesignaturecategory. d) ApplytheIPSruletoadesiredinterface,andspecifythedirection. Step3:Verifythesignature.

All contents are Copyright 19922009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.

Page 3 of 3