security ccie study notes(2)
11)Ensure that Telnet access to every router is limited to the 172.40.x.x/16 Network. If you are trying to Telnet from any router, the IP address of the destination should not be displayed.
Use the service command
service hide-telnet-addresses
12)Enable SSH on the Catalyst 3550 use the domain-name ccie.com, ensure that the only networks that can administer the switch are from the 172.40.x.x/16 network. You should not be able to reach the switch via Telnet.
Use the crypto key generate command
ip domain-name ccie.com
crypto key generate rsa
username ccie password ccie
transport input ssh
13)Limit R3 suth the ICMP traffic entering from the Frame Relay network is only allowed to consume 528k of bandwidth. Allow for 128k for periodic bursts
Use the rate-limit command
ip cef
interface serial1/0
rate-limit input access-group 190 528000 16000 16000 conform-action transmit exceed-action drop
access-list 190 permit icmp any any
access-list 190 deny ip any any
14)Configure R4 to act as a DHCP server to Backbone 1, Use the IP address range of 10.1.4.0/24 Ensure the IP addresses of 10.1.4.4 and 10.1.4.100 are not assigned. They should also receive a DNS Server IP address of 10.1.4.100. R4 should send a default router of itself. The domain name should be ccie.com
Use the ip dhcp command
no ip dhcp conflict logging
ip dhcp excluded-address 10.1.4.4
ip dhcp excluded-address 10.1.4.100
ip dhcp pool dhcppool
network 10.1.4.0 255.255.255.0
dns-server 10.1.4.100
domain-name ccie.com
default-router 10.1.4.4
15)Configure R2,R4 and R1 to receive their time from R3 via NTP, These NTP updates should send a one-way hash for the password.
Use the ntp command
R3
ntp authentication-key 1 md5 cisco
ntp authenticate
ntp master
R1,R2,R4
ntp authentication-key 1 md5 cisco
ntp authenticate
ntp clock-period xxxxxx
ntp server 172.16.200.3 key 1
16)Create a username/password database on R6. User test1 and test2 should have a password of cisco. When test1 telnet''s to the router he should be in "enable-mode" instantly. The user account test2, should only be able to enter the commands ping, telnet, exit and session #. R6 should never try to authenticate/authorize the Console port(make sure you dont hurt yourself here)
Use the aaa authorization command
aaa new-model
aaa authentication login default none
aaa authentication login TEST local
aaa authorization exec default none
aaa authorization exec TEST local
aaa authorization command 0 default none
aaa authorization command 0 TEST local
aaa authorization command 1 default none
aaa authorization command 1 TEST local
aaa authorization command 15 default none
aaa authorization command 15 TEST local
username test1 privilege 15 password cisco
username test2 privilege 0 password cisco
authorization command 0 TEST
authorization command 15 TEST
authorization exec TEST
login authentication TEST
authorization command 1 TEST
17)R5 should perform login authentication and network authorization using the ACS server 172.16.10.100 use TACACS+ and a key of "cisco". You might want to enable a backup authentication on the Console port.
Use the aaa authorization command
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication login con none
aaa authentication network default grouop tacacs+ local
line con 0
login authentication con
18)R5 should be configured to audit the Ethernet network for behavior that resembles an Attack or informational reconnaissance. Informational signatures should send an alarm. drop the connection as well as sending a TCP RESET. The router should watch for e-mail with a recipient list greater than 175. The event queue should be able to reach a size of 64kb. The router should log these events locally. You''ve been experiencing a high number of false alarms, disable the ICMP Echo Reply Signature. Audit incoming and outgoing traffic.
Use the ip audit commamd
ip audit notify log
ip audit po max-events 200
ip audit smtp spam 175
ip audit signature 2000 disable
ip audit name ipaudit info action alarm
ip audit name ipaudit attack action alarm drop reset
tacacs-server host 10.7.7.100 key cisco
interface ethernet 0/0
ip audit ipaudit in
ip audit ipaudit out
Use the service command
service hide-telnet-addresses
12)Enable SSH on the Catalyst 3550 use the domain-name ccie.com, ensure that the only networks that can administer the switch are from the 172.40.x.x/16 network. You should not be able to reach the switch via Telnet.
Use the crypto key generate command
ip domain-name ccie.com
crypto key generate rsa
username ccie password ccie
transport input ssh
13)Limit R3 suth the ICMP traffic entering from the Frame Relay network is only allowed to consume 528k of bandwidth. Allow for 128k for periodic bursts
Use the rate-limit command
ip cef
interface serial1/0
rate-limit input access-group 190 528000 16000 16000 conform-action transmit exceed-action drop
access-list 190 permit icmp any any
access-list 190 deny ip any any
14)Configure R4 to act as a DHCP server to Backbone 1, Use the IP address range of 10.1.4.0/24 Ensure the IP addresses of 10.1.4.4 and 10.1.4.100 are not assigned. They should also receive a DNS Server IP address of 10.1.4.100. R4 should send a default router of itself. The domain name should be ccie.com
Use the ip dhcp command
no ip dhcp conflict logging
ip dhcp excluded-address 10.1.4.4
ip dhcp excluded-address 10.1.4.100
ip dhcp pool dhcppool
network 10.1.4.0 255.255.255.0
dns-server 10.1.4.100
domain-name ccie.com
default-router 10.1.4.4
15)Configure R2,R4 and R1 to receive their time from R3 via NTP, These NTP updates should send a one-way hash for the password.
Use the ntp command
R3
ntp authentication-key 1 md5 cisco
ntp authenticate
ntp master
R1,R2,R4
ntp authentication-key 1 md5 cisco
ntp authenticate
ntp clock-period xxxxxx
ntp server 172.16.200.3 key 1
16)Create a username/password database on R6. User test1 and test2 should have a password of cisco. When test1 telnet''s to the router he should be in "enable-mode" instantly. The user account test2, should only be able to enter the commands ping, telnet, exit and session #. R6 should never try to authenticate/authorize the Console port(make sure you dont hurt yourself here)
Use the aaa authorization command
aaa new-model
aaa authentication login default none
aaa authentication login TEST local
aaa authorization exec default none
aaa authorization exec TEST local
aaa authorization command 0 default none
aaa authorization command 0 TEST local
aaa authorization command 1 default none
aaa authorization command 1 TEST local
aaa authorization command 15 default none
aaa authorization command 15 TEST local
username test1 privilege 15 password cisco
username test2 privilege 0 password cisco
authorization command 0 TEST
authorization command 15 TEST
authorization exec TEST
login authentication TEST
authorization command 1 TEST
17)R5 should perform login authentication and network authorization using the ACS server 172.16.10.100 use TACACS+ and a key of "cisco". You might want to enable a backup authentication on the Console port.
Use the aaa authorization command
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication login con none
aaa authentication network default grouop tacacs+ local
line con 0
login authentication con
18)R5 should be configured to audit the Ethernet network for behavior that resembles an Attack or informational reconnaissance. Informational signatures should send an alarm. drop the connection as well as sending a TCP RESET. The router should watch for e-mail with a recipient list greater than 175. The event queue should be able to reach a size of 64kb. The router should log these events locally. You''ve been experiencing a high number of false alarms, disable the ICMP Echo Reply Signature. Audit incoming and outgoing traffic.
Use the ip audit commamd
ip audit notify log
ip audit po max-events 200
ip audit smtp spam 175
ip audit signature 2000 disable
ip audit name ipaudit info action alarm
ip audit name ipaudit attack action alarm drop reset
tacacs-server host 10.7.7.100 key cisco
interface ethernet 0/0
ip audit ipaudit in
ip audit ipaudit out
