security 8 sba

In this practice Packet Tracer Skills Based Assessment, you will:

configure basic device hardening and secure

network management

configure a CBAC firewall to implement security policies

configure devices to protect against STP attacks and to enable

broadcast storm control

configure port security and disable unused switch ports

configure an IOS IPS

configure a ZPF to implement security policies

configure a site-to-site IPsec VPN

Addressing Table

Device

Interfa

ce IP Address

Subnet

Mask Gateway

DNS

server

Internet

S0/0/0

209.165.200.

225

255.255.255.

252 n/a n/a

S0/0/1 192.31.7.1

255.255.255.

252 n/a n/a

S0/1/0

198.133.219.

1

255.255.255.

252 n/a n/a

Fa0/0

192.135.250.

1

255.255.255.

0 n/a n/a

CORP S0/0/0 209.165.200.

226

255.255.255.

252

n/a n/a

http://www.invialgo.com/khidhir/wp-content/uploads/2013/01/ccna-sec-sbawtmk.jpg

Device

Interfa

ce IP Address

Subnet

Mask Gateway

DNS

server

Fa0/0 10.1.1.254

255.255.255.

0 n/a n/a

Fa0/1.1

0

172.16.10.25

4

255.255.255.

0 n/a n/a

Fa0/1.2

5

172.16.25.25

4

255.255.255.

0 n/a n/a

Fa0/1.9

9

172.16.99.25

4

255.255.255.

0 n/a n/a

Branch

S0/0/0

198.133.219.

2

255.255.255.

252 n/a n/a

Fa0/0

198.133.219.

62

255.255.255.

224 n/a n/a

External

S0/0/0 192.31.7.2

255.255.255.

252 n/a n/a

Fa0/0 192.31.7.62

255.255.255.

224 n/a n/a

Public Svr NIC

192.135.250.

5

255.255.255.

0

192.135.25

0.1 n/a

External

Web Svr NIC 192.31.7.35

255.255.255.

224 192.31.7.62

192.135.25

0.5

External PC NIC 192.31.7.33

255.255.255.

224 192.31.7.62

192.135.25

0.5

NTP/Syslog

Svr NIC 172.16.25.2

255.255.255.

0

172.16.25.2

54 10.1.1.5

Device

Interfa

ce IP Address

Subnet

Mask Gateway

DNS

server

DMZ DNS

Svr NIC 10.1.1.5

255.255.255.

0 10.1.1.254

192.135.25

0.5

DMZ Web

Svr NIC 10.1.1.2

255.255.255.

0 10.1.1.254 10.1.1.5

PC0 NIC 172.16.10.5

255.255.255.

0

172.16.10.2

54 10.1.1.5

PC1 NIC 172.16.10.10

255.255.255.

0

172.16.10.2

54 10.1.1.5

Net Admin NIC 172.16.25.5

255.255.255.

0

172.16.25.2

54 10.1.1.5

Admin PC NIC

198.133.219.

35

255.255.255.

224

198.133.21

9.62

192.135.25

0.5

PCB1 NIC

198.133.219.

40

255.255.255.

224

198.133.21

9.62

192.135.25

0.5

Note: Appropriate verification procedures should be taken after

each configuration task to ensure that it has been properly

implemented.

Step 1: Configure Basic Device Hardening for the CORP

Router.

a. Configure the CORP router to only accept passwords with a

minimum length of 10 characters.

CORP(config)# security password min-length 10

b. Configure an encrypted privileged level password of ciscoclass.

CORP(config)# enable secret ciscoclass

c. Enable password encryption for all clear text passwords in the

configuration file.

CORP(config)# service password-encryption

d. Configure the console port and all vty lines with the following

requirements:

Note: CORP is already configured with the username CORPADMIN

and the secret password ciscoccnas.

use the local database for login

disconnect after being idle for 20 minutes.

CORP(config)# line consol 0

CORP(config-line)# login local

CORP(config-line)# exec-timeout 20 0

CORP(config-line)# line vty 0 4






e. Disable the CDP protocol only on the link to the Internet router.

CORP(config)# interface s0/0/0

CORP(config-if)# no cdp enable

Step 2: Configure Secure Network Management for the CORP

Router.

a. Enable the CORP router:

as an NTP client to the NTP/Syslog server

to update the router calendar (hardware clock) from the NTP

time source

to timestamp log messages

to send logging messages to the NTP/Syslog server

CORP(config)# ntp server 172.16.25.2 key 0

CORP(config)# ntp update-calendar

CORP(config)# service timestamps log datetime msec

CORP(config)# logging host 172.16.25.2

b. Configure the CORP router to accept SSH connections. Use the

following guidelines:

Note: CORP is already configured with the username SSHAccess

and the secret password ciscosshaccess.

domain name is theccnas.com

RSA encryption key pair using a modulus of 1024

SSH version 2, timeout of 90 seconds, and 2 authentication

retries

all vty lines accept only SSH connections

CORP(config)# ip domain-name theccnas.com

CORP(config)# crypto key generate rsa

How many bits in the modulus [512]: 1024

CORP(config)# ip ssh version 2

CORP(config)# ip ssh time-out 90

CORP(config)# ip ssh authentication-retries 2

CORP(config)# line vty 0 4

CORP(config-line)# transport input ssh


CORP(config-line)# transport input ssh

CORP(config-line)# exit

c. Configure the CORP router with AAA authentication and verify its

functionality:

AAA authentication using the local database as the default for

console line and vty lines access

CORP(config)# aaa new model

CORP(config)# aaa authentication login default local

CORP(config)# aaa authorization exec default local


CORP(config-line)# login authentication default



CORP(config-line)# line con 0


Step 3: Configure Device Hardening for Switch1.

a. Access Switch1 with username CORPADMIN, password ciscoccnas,

and the enable secret password of ciscoclass.

b. Enable storm control for broadcasts on FastEthernet 0/24 with a

50 percent rising suppression level.

SW1(config)# interface fa0/24

SW1(config)# storm-control broadcast level 50

c. Configure Switch1 to protect against STP attacks.

Configure PortFast on FastEthernet ports 0/1 to 0/23.

Enable BPDU guard on FastEthernet ports 0/1 to 0/23.

SW1(config)# interface range fa0/1-23

SW1(config-if-range)# spanning-tree portfast

SW1(config-if-range)# spanning-tree bpduguard enable

d. Configure port security and disable unused ports.

Set the maximum number of learned MAC addresses to 2 on

FastEthernet ports 0/1 to 0/23. Allow the MAC address to be

learned dynamically and to shutdown the port if a violation

occurs.


SW1(config-if-range)# switchport port-security

SW1(config-if-range)# switchport port-security maximum 2

SW1(config-if-range)# switchport port-security violation shutdown

SW1(config-if-range)# switchport port-security mac-address sticky

Disable unused ports (Fa0/2-5, Fa0/7-10, Fa0/13-23).


SW1(config-if-range)# shutdown





SW1(config-if-range)# end

SW1# copy running-config startup-config

Step 4: Configure an IOS IPS on the CORP Router.

a. On the CORP router, create a directory in flash named ipsdir.

CORP# mkdir ipsdir

b. Configure the IPS signature storage location to be flash:ipsdir.

CORP(config)# ip ips config location flash:ipsdir/ retries 1

c. Create an IPS rule named corpips.

CORP(config)# ip ips name corpips

d. Configure the IOS IPS to use the signature categories. Retire the

all signature category and unretire the ios_ips basic category.

CORP(config)# ip ips signature-category

CORP(config-ips-category)# category all

CORP(config-ips-category-action)# retired true

CORP(config-ips-category-action)# exit

CORP(config-ips-category)# category ios_ips basic

CORP(config-ips-category-action)# retired false

CORP(config-ips-category-action)# exit

CORP(config-ips-category)# exit

Do you want to accept these changes? [confirm] [Enter]

e. Apply the IPS rule to the Fa0/0 interface.

CORP(config)# interface fa0/0

CORP(config-if)# ip ips corpips out

f. Modify the ios_ips basic category. Unretire the echo request

signature (signature 2004, subsig 0); enable the signature; modify

the signature event-action to produce an alert and to deny packets

that match the signature.

CORP(config)#ip ips signature-definition

CORP(config-sigdef)# signature 2004 0

CORP(config-sigdef-sig)# status

CORP(config-sigdef-sig-status)# retired false

CORP(config-sigdef-sig-status)# enable true

CORP(config-sigdef-sig-status)# exit

CORP(config-sigdef-sig)# engine

CORP(config-sigdef-sig-engine)# event-action produce-alert

CORP(config-sigdef-sig-engine)# event-action deny-packet-inline

CORP(config-sigdef-sig-engine)# exit

CORP(config-sigdef-sig)# exit

CORP(config-sigdef)# exit

CORP(config)# exit

Do you want to accept these changes? [confirm] [Enter]

g. Verify that IPS is working properly. Net Admin in the internal

network cannot ping DMZ Web Svr. DMZ Web Svr, however, can ping

Net Admin.

Step 5: Configure ACLs and CBAC on the CORP Router to

Implement the Security Policy.

a. Create ACL 12 to implement the security policy regarding the

access to the vty lines:

Only users connecting from Net Admin and Admin PC are

allowed access to the vty lines.

CORP(config)# access-list 12 permit host 172.16.25.5

CORP(config)# access-list 12 permit host 198.133.219.35


CORP(config-line)# access-class 12 in


CORP(config-line)# access-class 12 in

b. Create, apply, and verify an extended named ACL (named

DMZFIREWALL) to filter incoming traffic to the DMZ. The ACL should

be created in the order specified in the following guidelines (Please

note, the order of ACL statements is significant only because of the

scoring need in Packet Tracer.):

1. HTTP traffic is allowed to DMZ Web Svr.

2. DNS traffic (both TCP and UDP) is allowed to DMZ DNS Svr.

3. All traffic from 172.16.25.0/24 is allowed to enter the DMZ.

4. FTP traffic from the Branch administrator workstation is allowed to

DMZ Web Svr.

CORP(config)# ip access-list extended DMZFIREWALL

CORP(config-ext-nacl)# permit tcp any host 10.1.1.2 eq www

CORP(config-ext-nacl)# permit tcp any host 10.1.1.5 eq domain

CORP(config-ext-nacl)# permit udp any host 10.1.1.5 eq domain

CORP(config-ext-nacl)# permit ip 172.16.25.0 0.0.0.255 10.1.1.0

0.0.0.255

CORP(config-ext-nacl)# permit tcp host 198.133.219.35 host

10.1.1.2 eq ftp

CORP(config-ext-nacl)# exit

CORP(config)# interface fa0/0

CORP(config-if)# ip access-group DMZFIREWALL out

c. To verify the DMZFIREWALL ACL, complete the following tests:

Admin PC in the branch office can access the URL

http://www.theccnas.com;

Admin PC can open an FTP session to the DMZ Web Svr with the

username cisco and the password cisco;

PCB1 cannot open an FTP session to the DMZ Web Svr.

Net Admin can open an FTP session to the DMZ Web Svr with

the username cisco and the password cisco; and

PC1 cannot open an FTP session to the DMZ Web Svr.

d. Create, apply, and verify an extended named ACL (named

INCORP) to control access from the Internet into the CORP router.

The ACL should be created in the order specified in the following

guidelines (Please note, the order of ACL statements is significant

only because of the scoring need in Packet Tracer.):

1. Allow HTTP traffic to the DMZ Web Svr.

2. Allow DNS traffic (both TCP and UDP) to the DMZ DNS Svr.

3. Allow SSH traffic from the Branch Office administrator workstation

to the Serial 0/0/0 interface on the CORP router.

4. Allow IP traffic from the Branch router serial interface into the

CORP router serial interface.

5. Allow IP traffic from the Branch Office LAN to the public IP address

range that is assigned to the CORP site (209.165.200.240/28).

CORP(config)# ip access-list extended INCORP

CORP(config-ext-nacl)# permit tcp any host 209.165.200.241 eq

www

CORP(config-ext-nacl)# permit tcp any host 209.165.200.242 eq

domain

CORP(config-ext-nacl)# permit udp any host 209.165.200.242 eq

domain

CORP(config-ext-nacl)# permit tcp host 198.133.219.35 host

209.165.200.226 eq 22

CORP(config-ext-nacl)# permit ip host 198.133.219.2 host

209.165.200.226

CORP(config-ext-nacl)# permit ip 198.133.219.32 0.0.0.31

209.165.200.240 0.0.0.15

CORP(config-ext-nacl)# exit


CORP(config-ifl)# ip access-group INCORP in

e. To verify the INCORP ACL, complete the following tests:

Admin PC in the branch office can access the URL

http://www.theccnas.com;

Admin PC can establish an SSH connection to the CORP router

(209.165.200.226) with the usernameSSHAccess and password

ciscosshaccess;

PCB1 cannot establish an SSH connection to the CORP router

(209.165.200.226); and

External PC cannot establish an SSH connection to the CORP

router (209.165.200.226).

f. Create and apply a CBAC inspection rule (named INTOCORP) to

inspect ICMP, TCP, and UDP traffic between the CORP internal

network and any other network.

CORP(config)# ip inspect name INTOCORP icmp

CORP(config)# ip inspect name INTOCORP tcp

CORP(config)# ip inspect name INTOCORP udp

g. Enable CBAC audit messages to be sent to the syslog server.

CORP(config)# ip inspect audit-trail


CORP(config-if)# ip inspect INTOCORP out

h. Verify the CBAC firewall configuration.

PC1 can access the External Web Svr (www.externalone.com).

PC1 can establish an SSH connection to the External router with

username SSHadmin and passwordciscosshpa55.

Admin PC in the Branch office can establish an SSH connection

to the CORP router with the usernameSSHAccess and password

ciscosshaccess.

Step 6: Configure a Zone-Based Policy Firewall on the Branch

Router.

a. Access the Branch router with username CORPADMIN, password

ciscoccnas and the enable secret password of ciscoclass.

b. On the Branch router, create the firewall zones.

Create an internal zone named BR-IN-ZONE.

Create an external zone named BR-OUT-ZONE.

Branch(config)# zone security BR-IN-ZONE

Branch(config-sec-zone)# exit

Branch(config)# zone security BR-OUT-ZONE

Branch(config-sec-zone)# exit

c. Define a traffic class and access list.

Create an ACL (ACL 110) to permit all protocols from the

198.133.219.32/27 network to any destination.

Branch(config)# access-list 110 permit ip 198.133.219.32 0.0.0.31

any

Create a class map using the option of class map type inspect

with the match-all keyword. Match the ACL 110 and name the

class map BR-IN-CLASS-MAP.

Branch(config)# class-map type inspect match-all BR-IN-CLASS-MAP

Branch(config-cmap)# match access-group 110

d. Specify firewall policies.

Create a policy map named BR-IN-OUT-PMAP.

Use the BR-IN-CLASS-MAP class map.

Specify the action of inspect for this policy map.

Branch(config)# policy-map type inspect BR-IN-OUT-PMAP

Branch(config-pmap)# class type inspect BR-IN-CLASS-MAP

Branch(config-pmap-c)# inspect

e. Apply the firewall.

Create a pair of zones named IN-OUT-ZPAIR with the source as

BR-IN-ZONE and destination as BR-OUT-ZONE.

Branch(config)# zone-pair security IN-OUT-ZPAIR source BR-IN-ZONE

destination BR-OUT-ZONE

Specify the policy map BR-IN-OUT-PMAP for handling the traffic

between the two zones.

Branch(config-sec-zone-pair)# service-policy type inspect BR-IN-

OUT-PMAP

Assign interfaces to the appropriate security zones.

Branch(config)# interface fa0/0

Branch(config-if)# zone-member security BR-IN-ZONE

Branch(config-if)# interface s0/0/0

Branch(config-if)# zone-member security BR-OUT-ZONE

f. Verify the ZPF configuration.

The Admin PC in the Branch office can access the URLs

http://www.theccnas.com and http://www.externalone.com.

The Admin PC in the Branch office can ping the External PC

(192.31.7.33).

External PC cannot ping the Admin PC in the Branch office

(198.133.219.35).

The Admin PC in Branch office can establish an SSH connection

to the CORP router with the usernameSSHAccess and password

ciscosshaccess. If you get the Corp> prompt, then your

configuration is correct.

Step 7: Configure a Site-to-Site IPsec VPN between the CORP

router and the Branch Router.

The following tables list the parameters for the ISAKMP Phase 1

Policy and IPsec Phase 2 Policy:

ISAKMP Phase 1 Policy

Parameters ISAKMP Phase 2 Policy Parameters

Key

Distribution

Method ISAKMP Parameters CORP Router

Branch

Router

Encryption

Algorithm AES

Transform

Set Name VPN-SET VPN-SET

Number of

Bits 256

Transform

Set

esp-3des

esp-sha-hmac

esp-3des

esp-sha-hmac

Hash

Algorithm SHA-1

Peer Host

Name Branch CORP

Authenticati

on Method Pre-share

Peer IP

Address 198.133.219.2

209.165.200.2

26

Key

Exchange DH 2

Encrypted

Network

209.165.200.24

0/28

198.133.219.3

2/27

IKE SA

Lifetime 86400

Crypto Map

Name VPN-MAP VPN-MAP

ISAKMP Key

Vpnpass1

01

SA

Establishm

ent ipsec-isakmp ipsec-isakmp

a. Configure an ACL (ACL 120) on the CORP router to identify the

interesting traffic. The interesting traffic is all IP traffic between the

two LANs (209.165.200.240/28 and 198.133.219.32/27).

CORP(config)# access-list 120 permit ip 209.165.200.240 0.0.0.15

198.133.219.32 0.0.0.31

b. Configure the ISAKMP Phase 1 properties on the CORP router. The

crypto ISAKMP policy is 10. Refer to the ISAKMP Phase 1 Policy

Parameters Table for the specific details needed.

CORP(config)# crypto isakmp policy 10

CORP(config-isakmp)# encryption aes 256

CORP(config-isakmp)# authentication pre-share

CORP(config-isakmp)#group 2

CORP(config-isakmp)# lifetime 86400 (Default/Optional)

CORP(config-isakmp)# hash sha (Default/optional)

CORP(config-isakmp)# exit

CORP(config)# crypto isakmp key Vpnpass101 address

198.133.219.2

c. Configure the ISAKMP Phase 2 properties on the CORP router.

Refer to the ISAKMP Phase 2 Policy Parameters Table for the specific

details needed.

CORP(config)# crypto ipsec transform-set VPN-SET esp-3des esp-

sha-hmac

CORP(config)# crypto map VPN-MAP 10 ipsec-isakmp

CORP(config-crypto-map)# set peer 198.133.219.2

CORP(config-crypto-map)# set transform-set VPN-SET

CORP(config-crypto-map)# match address 120

d. Bind the VPN-MAP crypto map to the outgoing interface.


CORP(config-if)# crypto map VPN-MAP

CORP(config-if)# end

e. Configure IPsec parameters on the Branch router using the same

parameters as on the CORP router. Note that interesting traffic is

defined as the IP traffic from the two LANs.

Branch(config)# access-list 120 permit ip 198.133.219.32 0.0.0.31

209.165.200.240 0.0.0.15

Branch(config)# crypto isakmp policy 10

Branch(config-isakmp)# encryption aes 256

Branch(config-isakmp)# authentication pre-share

Branch(config-isakmp)# group 2

Branch(config-isakmp)# lifetime 86400 (Default/Optional)

Branch(config-isakmp)# hash sha (Default/optional)

Branch(config-isakmp)# exit

Branch(config)# crypto isakmp key Vpnpass101 address

209.165.200.226

Branch(config)# crypto ipsec transform-set VPN-SET esp-3des esp-

sha-hmac

Branch(config)# crypto map VPN-MAP 10 ipsec-isakmp

Branch(config-crypto-map)# set peer 209.165.200.226

Branch(config-crypto-map)# set transform-set VPN-SET

Branch(config-crypto-map)# match address 120

Branch(config-crypto-map)# exit

Branch(config)# interface s0/0/0

Branch(config-if)# crypto map VPN-MAP

Branch(config-if)# end

f. Save the running-config, then reload both CORP and Branch

routers.

CORP# copy running-config startup-config

Branch# copy running-config startup-config

g. Verify the VPN configuration by conducting an FTP session with

the username cisco and the password cisco from the Admin PC to

the DMZ Web Svr. On the Branch router, check that the packets are

encrypted. To exit the FTP session, type quit.

That’s all. I’m not sure which version it this Packet Tracer Activity

since it’s not mine. This CCNA Security SBA contributed by

Viktorcsn. Either it’s version 1.0 or version 1.1. However i noticed

that this SBA practice has been published and shared in some

website. I’m not sure if this practice will be helpful to all of you guys,

but i just try to spread it so that maybe someone that in need may

get this resource much easier.

So finally, thank you to Viktorcsn for the contribution. If you guys

have latest version of CCNA Security or anything to share that will

benefits all of us, please do not hesitate to drop me an email. Hope it

will bring success to all of us.

security 8 sba

Documents

specific details needed

fastethernet ports 0 1

dmz web svr

disable unused ports

dmz dns svr

enable secret password

ios ips basic category

site ipsec vpn