I Guía - CCNA - SecurityV4

Guia CCNA Security v4
@ NMT 2013
1
Router Security ....................................................................................................... 2
Privilege Level ........................................................................................................ 4
CLI Views .............................................................................................................. 6
SSH ........................................................................................................................ 8
Setup AAA: .......................................................................................................... 12
AAA Base de datos Local ..................................................................................... 15
Escenario 1 .................................................................................................................................... 15
Escenario 2 .................................................................................................................................... 16
Escenario 3 .................................................................................................................................... 16
Banner Messages .................................................................................................. 17
Auto Secure .......................................................................................................... 19


@ NMT 2013
2
Router Security

En R1 configurar de manera que solo se permita configurar passwords con un mnimo de 5
caracteres.
Las password deben ser ilegibles si utilizamos el comando show running-config.
Crear el usuario admin password cisco. Si accedemos por consola deberemos loguearnos en la
base de datos local.

R1
security passwords min-length 5

R1(config)#enable password nico
% Invalid Password length - must contain 5 to 25 characters. Password configuration failed

R1(config)#enable password cisco

R1
service password-encryption

R1#show running-config | include enable
enable password 7 094F471A1A0A

R1
username admin password cisco

line con 0
login local

R1#exit
R1 con0 is now available
Press RETURN to get started.

User Access Verification
Username:admin
Password:cisco
R1>enable
R1#


@ NMT 2013
3
En R1 habilitar un timeout de expiracin de consola en 2 horas con 30 segundos.

Normalmente el tiempo de expiracin lo dejo en infinito (exec-timeout 0 0)para no tener que loguearme
a cada rato si ese plazo se vence, como en este caso se requiere ingresar los valores utilizaremos
ventanas de tiempo grandes.

R1
line con 0
exec-timeout 120 30

R1#show line console 0 | section Timeouts
Timeouts: Idle EXEC Idle Session Modem Answer Session Dispatch
02:00:30 never none not set
Idle Session Disconnect Warning
never
Login-sequence User Response
00:00:30
Autoselect Initial Wait
not set


@ NMT 2013
4
Privilege Level
En R1crear dos usuarios con las siguientes caractersticas
Definir password para modo privilegiado utilizando la palabra clave cisco.
Usuario Password Comandos disponibles (EXEC)
admin cisco Todos los comandos (high
privilege)
noc network Show, ping, traceroute

R1
username noc privilege 2 password network

privilege exec level 2 traceroute
privilege exec level 2 ping
privilege exec level 2 show

username admin privilege 15 password cisco

Para forzar a que los usuarios se tengan que identificar (login) con la base de datos local utilizamos:

R1
line con 0
login local

O alternativamente podemos utilizar AAA local.

aaa new-model
aaa authentication login default local none

R1#exit


%SYS-5-CONFIG_I: Configured from console by console

Username: noc
Password:network

R1#show privilege
Current privilege level is 2

R1#conf t
^
% Invalid input detected at '^' marker.


@ NMT 2013
5
R1#ping 10.2.2.2
Sending 5, 100-byte ICMP Echos to 10.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/72/100 ms

Ahora comprobamos el nivel de privilegio del usuario admin (nivel 15).

R1#exit


Username: admin
Password:cisco

R1#show privilege
Current privilege level is 15

R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#
R1(config)#router bgp 20.20


@ NMT 2013
6
CLI Views

Configurar CLI Views en R2.
Crear dos perfiles con las siguientes caractersticas:

Usuario Password View Comandos
ADMIN admin Todos los comandos show
salvo show version. ping,
configure.
NOC noc ping

R2
aaa new-model
enable secret cisco

R2#enable view
Password:cisco

R2#
%PARSER-6-VIEW_SWITCH: successfully set to view 'root'.

configure terminal

parser view ADMIN
secret admin
commands exec include configure
commands exec exclude show version
commands exec include all show

parser view NOC
secret noc
commands exec include-exclusive ping

R2#disable
R2>
R2>enable view ADMIN
Password:admin
R2#show ?
aaa Show AAA values
access-expression List access expression
access-lists List access lists
acircuit Access circuit info
adjacency Adjacent nodes
aliases Display alias commands
alignment Show alignment information
ancp ANCP information
aps APS information

@ NMT 2013
7
archive Archive functions
*
*
R2#show version
^

R2#configure
Configuring from terminal, memory, or network [terminal]?
Enter configuration commands, one per line. End with CNTL/Z.

R2(config)#?
Configure commands:
do-exec To run exec commands in config mode
exit Exit from configure mode

R2(config)#end
^

R2(config)#exit

Entramos con el perfil de NOC y comprobamos que solo tenemos la opcin ping

R2#exit
R2>
R2>enable view NOC
Password:noc

R2#?
Exec commands:
do-exec Mode-independent "do-exec" prefix support
enable Turn on privileged commands
exit Exit from the EXEC
ping Send echo messages
show Show running system information

R2#ping 10.1.12.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.12.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/42/52 ms


@ NMT 2013
8
SSH

Configurar enrutamiento esttico o dinmico de manera que exista conectividad completa entre
todos los routers incluyendo su interfaces loopbacks0.
Configurar Telnet en R1utilizando password r111.
Configurar Telnet en R2 para sesiones entrantes y SSH para sesiones salientes, solo se permite
establecer sesin SSH con los ID (loopbacks0) de cada router. Utilizar las siguientes polticas:
- Domain Name: duoc.cl
- Utilizar version SSH 2.0 (1.9)
- Autentificar en funcin de base de datos local utilizando AAA
- La autentificacin solo se debe establecer en line VTY.
- Mostrar eventos SSH en consola de R1, sesion exitosas y fallidas.
- El usuariopara SSH es el siguiente:

Usuario Password
jadmin cisco123
R1 puede acceder a R2 a travs de telnet pero desde R2 solo puede acceder a R3 a utilizando SSH.
Configurar en R3 SSH para sesiones entrantes, solo se permite establecer sesin SSH con los ID
(loopbacks0) de cada router. Utilizar las siguientes polticas:
- Domain Name: duoc.cl
- Utilizar version SSH 2.0 (1.9)
- Autentificar en funcin de base de datos local utilizando AAA
- La autentificacin solo se debe establecer en line VTY.
- Mostrar eventos SSH en consola de R1, sesion exitosas y fallidas.
- El usuario para SSH es el siguiente:

Usuario Password
admin cisco

Configure la password cisco para acceder al modo privilegiado en todos los routers.

R1
router eigrp 1

@ NMT 2013
9
network 10.0.0.0
no auto-summary

R2
router eigrp 1
network 10.0.0.0
no auto-summary

R3
router eigrp 1
network 10.0.0.0
no auto-summary

R2#show ip eigrp neighbors
EIGRP-IPv4 Neighbors for AS(1)
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
1 10.1.23.3 Fa0/1 10 00:00:11 159 954 0 3
0 10.1.12.1 Fa0/0 13 00:00:13 1571 5000 0 4

R1#sh ip route eigrp
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override

Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 7 subnets, 2 masks
D 10.1.23.0/24 [90/30720] via 10.1.12.2, 00:01:12, FastEthernet0/0

Configuracion lines VTY

R1
line vty 0 4
password cisco
login

enable secret cisco


@ NMT 2013
10
R2
ip domain-name duoc.cl
crypto key generate rsa usage-keys
How many bits in the modulus [512]: 1024

%SSH-5-ENABLED: SSH 1.99 has been enabled

ip ssh logging events

aaa new-model
username jadmin password cisco123
aaa authentication login VTY-LOCAL local

line vty 0 4
login authentication VTY-LOCAL
transport input telnet
transport output ssh

R3
ip domain-name duoc.cl
crypto key generate rsa usage-keys
How many bits in the modulus [512]: 1024

%SSH-5-ENABLED: SSH 1.99 has been enabled

ip ssh logging events

aaa new-model
username admin password cisco
aaa authentication login VTY-LOCAL local

line vty 0 4
login authentication VTY-LOCAL
transport input ssh

R1 acceder a R2 a travs de telnet, pero desde R2 solo podr acceder a R3 a travs SSH, es decir, al
permetro de seguridad.

R1#telnet 10.2.2.2
Trying 10.2.2.2 ... Open


Username: jadmin
Password:cisco123


@ NMT 2013
11
R2>enable
Password:cisco

R2#telnet 10.3.3.3
% telnet connections not permitted from this terminal

R2#ssh -l admin -c 3des 10.3.3.3

Password:cisco
R3>en
Password:cisco

R3#
*Aug 17 10:41:11.059: %SSH-5-SSH2_SESSION: SSH2 Session request from 10.1.23.2 (tty = 0) using crypto
cipher '3des-cbc', hmac 'hmac-sha1' Succeeded
R3#
*Aug 17 10:41:14.523: %SSH-5-SSH2_USERAUTH: User 'admin' authentication for SSH2 Session from
10.1.23.2 (tty = 0) using crypto cipher '3des-cbc', hmac 'hmac-sha1' Succeeded

R3#show users
Line User Host(s) Idle Location
* 0 con 0 idle 00:00:00
2 vty 0 admin idle 00:01:00 10.1.23.2

Interface User Mode Idle Peer Address


@ NMT 2013
12
Setup AAA:
Configurar AAA en R1con las siguientes caractersticas para la autentificacin:
Crear usuario U4 password cisco.
Proceso AAA debe pedir usuario y contrasea utilizando Usuario: , Password: . El usuario solo
puede acceder al router utilizando sistema case sensitive.
Crear banner que tenga el siguiente mensaje $ Autentificacin AAA $
El maximo nmero de intentos es 3 antes de volver a pedir autenticacin, luego se bloquear el
permiso para el usuario.
Si el usuario no puede autentificarse se debe desplegar el siguiente mensaje: AUTENTIFICACIN
INVALIDA, INTENTELO NUEVAMENTE
El usuario debe autentificarse en funcin de la base de datos local
Para poder probar inmediatamente lo que hemos configurado podramos habilitar el login en la consola.

R1
username U4 password cisco
aaa new-model
aaa authentication password-prompt Password:
aaa authentication username-prompt Usuario:
aaa authentication login CONS local-case

R1

Usuario:u4
Password:cisco

% Authentication failed

Usuario:U4
Password:cisco

R1
aaa authentication banner $ Autentificacion AAA $

R1>exit

Autentificacion AAA
Usuario:U4
Password:cisco

Para comprobar si funciona esta configuracin debemos crear un super usuario en caso de que
bloqueemos al usauario U4. Luego de las pruebas debemos desbloquear al usuario U4.

R1
username admin privilege 15 password cisco
aaa authentication attempts login 3

@ NMT 2013
13
aaa local authentication attempts max-fail 3

Usuario:U4
Password:111

Usuario:U4
Password:222

Usuario:U4
Password:333

%AAA-5-USER_LOCKED: User U4 locked out on authentication failure
% Authentication failed

Usuario:admin
Password:

R1#show aaa local user lockout
Local-user Lock time
U4 15:20:39 UTC Wed Sep 14 2011

R1#clear aaa local user lockout username U4
R1#
%AAA-5-USER_UNLOCKED: User U4 unlocked by admin on console

Ahora podemos volver a intentarlo como usuario U4. Para la casa.

R1
aaa authentication fail-message $ AUTENTIFICACISN INVALIDA, INTENTELO NUEVAMENTE $

Usuario:U4
Password:1111
AUTENTIFICACISN INVALIDA, INTENTELO NUEVAMENTE
Usuario:U4
Password:cisco
R1>

La configuracin nos quedara de la siguiente manera:
aaa new-model
aaa local authentication attempts max-fail 3

aaa authentication banner ^C Autentificacin AAA ^C
aaa authentication fail-message ^C AUTENTICATIOIN INVALIDA, INTENTELO NUEVAMENTE ^C
aaa authentication password-prompt Password:
aaa authentication username-prompt Usuario:
aaa authentication login CONS local-case

username U4 password 0 cisco

@ NMT 2013
14
username admin privilege 15 password 0 cisco

line con 0
login authentication CONS


@ NMT 2013
15
AAA Base de datos Local

R1
interface GigabitEthernet0/0
ip address 10.1.12.1 255.255.255.0
no shut

R2
interface GigabitEthernet0/0
ip address 10.1.12.2 255.255.255.0
no shut

Rx
router eigrp 1
network 10.0.0.0

Escenario 1. Accedemos R2 via telnet usando la pasword de enable (modo exec).

R2
aaa new-model
aaa authentication login TELNET enable
enable secret cisco

line vty 0 4
login authentication TELNET

R1#telnet 10.2.2.2


Password:cisco

R2>
R2>enable
Password:cisco

Corresponde a la
misma password que
configuramos con

@ NMT 2013
16
Escenario 2.
Accedemos R2 via telnet usando la base de datos local. Debemos crear un user y su password.
Nota: Borrar configuracin anterior. Si est configurado aaa new-model no podremos utilizar la base de
datos local directamente en line vty.

R2
username admin password admin

line vty 0 4
login local

R1#telnet 10.2.2.2


Username: admin
Password:admin
R2>en
Password:cisco

Escenario 3. Accedemos R2 via telnet usando si usar password. Como veremos no tendremos que
autenticarnos. Salvo si queremos entrar al modo privilegiado.

R2
aaa new-model
aaa authentication login TELNET none

line vty 0 4
login authentication TELNET

R1#telnet 10.2.2.2
R2>


@ NMT 2013
17
Banner Messages
Configure R1 con el mensaje del dia (message of the day = motd) que se muestra a continuacin:

-------------------------------------------------------------------------
Te has conectado al router R1 en el puerto de consola 0.
XXXXXXXX
/| XXXXXXXX|\XXXXXXXXX
/*/ XXXXXXXXXXXXXX\*\XXXXXXXXXXXX
|**\ X _____XXXXXXXXX/**|XXXXXXXXXXXXX
|***\ X_/ \_ /***|___XXXXXXXXXXXX
\******* *******/ XXXXX \\XXXXXXX
\**** / \ *****/ XXXXX \\XXXXXXX
XXXX| 0 0 | XXXXX \XXXXXXX
XXXXX | | XXXXX \XXXXXXX
XXXXXX \ / XXXXX |________//
XXXXXX \ / XXXXX |XXXXXX
XXXXXX | O_O | XXXXX ||XXXXX
XXXXX \ _ / XXXXX \XXX
XXXX| : |XXXX /\ \ _
XXX\_/XXX |\__\ _____/ \ \ ) |_|
XXXXXX< | | | XX| |X\_ | _
XXX/ |X <_> XXXX/ | | | |_|
|___|XXXX| |XXXXXXXXX|___| | \
XXXXXX/ \XXXXXXXX |____|

Empresas Red Bull
Gerencia Informatica

Ubicacion: Av. Bernardo Prat # 1559, Piso 2
!!!! Atencion !!!!
Notificar al Area Administracion de Redes cualquier modificacion.
------------------------------------------------------------------------
Cisco Router 7200


@ NMT 2013
18
En el modo de configuracin global agregamos:

banner motd ^CC
-------------------------------------------------------------------------
Te has conectado al router $(hostname) en el puerto de consola $(line).

XXXXXXXX
/| XXXXXXXX|\XXXXXXXXX
/*/ XXXXXXXXXXXXXX\*\XXXXXXXXXXXX
|**\ X _____XXXXXXXXX/**|XXXXXXXXXXXXX
|***\ X_/ \_ /***|___XXXXXXXXXXXX
\******* *******/ XXXXX \\XXXXXXX
\**** / \ *****/ XXXXX \\XXXXXXX
XXXX| 0 0 | XXXXX \XXXXXXX
XXXXX | | XXXXX \XXXXXXX
XXXXXX \ / XXXXX |________//
XXXXXX \ / XXXXX |XXXXXX
XXXXXX | O_O | XXXXX ||XXXXX
XXXXX \ _ / XXXXX \XXX
XXXX| : |XXXX /\ \ _
XXX\_/XXX |\__\ _____/ \ \ ) |_|
XXXXXX< | | | XX| |X\_ | _
XXX/ |X <_> XXXX/ | | | |_|
|___|XXXX| |XXXXXXXXX|___| | \
XXXXXX/ \XXXXXXXX |____|

Empresas Red Bull
Gerencia Informatica
Ubicacion: Av. Bernardo Prat # 1559, Piso 2
!!!! Atencion !!!!
Notificar al Area Administracion de Redes cualquier modificacion.
------------------------------------------------------------------------
Cisco Router 7200 ^C


@ NMT 2013
19
Auto Secure

R1#auto secure
--- AutoSecure Configuration ---

*** AutoSecure configuration enhances the security of
the router but it will not make router absolutely secure
from all security attacks ***

All the configuration done as part of AutoSecure will be
shown here. For more details of why and how this configuration
is useful, and any possible side effects, please refer to Cisco
documentation of AutoSecure.
At any prompt you may enter '?' for help.
Use ctrl-c to abort this session at any prompt.

If this device is being managed by a network management station,
AutoSecure configuration may block network management traffic.
Continue with AutoSecure? [no]:yes

Gathering information about the router for AutoSecure
Is this router connected to internet? [no]:no

Securing Management plane services..

Disabling service finger
Disabling service pad
Disabling udp & tcp small servers
Enabling service password encryption
Enabling service tcp-keepalives-in
Enabling service tcp-keepalives-out
Disabling the cdp protocol

Disabling the bootp server
Disabling the http server
Disabling the finger service
Disabling source routing
Disabling gratuitous arp

Here is a sample Security Banner to be shown
at every access to device. Modify it to suit your
enterprise requirements.

Authorized Access only
This system is the property of So-&-So-Enterprise.
UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.

@ NMT 2013
20
You must have explicit permission to access this
device. All activities performed on this device
are logged. Any violations of access policy will result
in disciplinary action.

Enter the security banner {Put the banner between
k and k, where k is any character}:
k cisco k
Enter the new enable password:
Confirm the enable password:

Configuration of local user database
Enter the username: nico
Enter the password:
Confirm the password:
Configuring AAA local authentication
Configuring console, Aux and vty lines for
local authentication, exec-timeout, transport
Securing device against Login Attacks
Configure the following parameters

Blocking Period when Login Attack detected:
Device not secured against 'login attacks'.

Configure SSH server? [yes]: no

Configuring interface specific AutoSecure services
Disabling the following ip services on all interfaces:

no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
Disabling mop on Ethernet interfaces

Securing Forwarding plane services..

Enabling unicast rpf on all interfaces connected
to internet
Tcp intercept feature is used prevent tcp syn attack
on the servers in the network. Create autosec_tcp_intercept_list
to form the list of servers to which the tcp traffic is to
be observed

Enable tcp intercept feature? [yes/no]: yes


@ NMT 2013
21
This is the configuration generated:

no service finger
no service pad
no service udp-small-servers
no service tcp-small-servers
service password-encryption
service tcp-keepalives-in
service tcp-keepalives-out
no cdp run
no ip bootp server
no ip http server
no ip finger
no ip source-route
no ip gratuitous-arps
no ip identd
banner motd ^C cisco ^C
security passwords min-length 6
security authentication failure rate 10 log
enable password 7 05050F0C2E404F1A
username nico password 7 05050F0C2E404F1A
aaa new-model
aaa authentication login local_auth local
line console 0
login authentication local_auth
exec-timeout 5 0
transport output telnet
line aux 0
exec-timeout 10 0
transport output telnet
line vty 0 4
transport input telnet
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
logging facility local2
logging trap debugging
service sequence-numbers
logging console critical
logging buffered
int FastEthernet0/0
no ip redirects
no ip proxy-arp
no ip unreachables
no ip mask-reply
no mop enabled
int FastEthernet0/1

@ NMT 2013
22
no ip redirects
no ip proxy-arp
no ip unreachables
no ip mask-reply
no mop enabled
ip access-list extended 100
permit udp any any eq bootpc
ip tcp intercept list autosec_tcp_intercept_list
ip tcp intercept drop-mode random
ip tcp intercept watch-timeout 15
ip tcp intercept connection-timeout 3600
ip tcp intercept max-incomplete low 450
ip tcp intercept max-incomplete high 550
!
end

De una pequea definicin de cada uno de los servicios indicados en la salida anterior.

I Guía - CCNA - SecurityV4

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

I Guía - CCNA - SecurityV4

Transféré par

Droits d'auteur :

Formats disponibles

Guia CCNA Security v4

Vous aimerez peut-être aussi