信息安全实验十参考答案及翻译.doc

PT Activity: Configure a Network for Secure OperationAddressing TableDeviceInterfaceIP AddressSubnet MaskDefault GatewaySwitch PortR1FA0/1N/AS1 FA0/5S0/0/0 (DCE)52N/AN/AR2S0/0/052N/AN/AS0/0/1 (DCE)52N/AN/AR3FA0/1N/AS3 FA0/5S0/0/52N/AN/APC-ANICS1 FA0/6PC-BNICS2 FA0/18PC-CNICS3 FA0/6Learning ObjectivesSecure the routers with strong passwords, password encryption and a login banner.Secure the console and VTY lines with passwords.Configure local AAA authentication.Configure SSH server.Configure router for syslog.Configure router for NTP.Secure the router against login attacks.Configure CBAC and ZPF firewalls.Secure network switches.IntroductionIn this comprehensive practice activity, you will apply a combination of security measures that were introduced in the course. These measures are listed in the objectives.In the topology, R1 is the edge outer for the Company A while R3 is the edge router for Company B. These networks are interconnected via the R2 router which represents the ISP. You will configure various security features on the routers and switches for Company A and Company B. Not all security features will be configured on R1 and R3.The following preconfigurations have been made:Hostnames on all devicesIP addresses on all devicesR2 console password:ciscoconpa55R2 password on VTY lines:ciscovtypa55R2 enable password:ciscoenpa55Static routingSyslog services on PC-BDNS lookup has been disabledIP default gateways for all switchesTask 1: Test Connectivity and Verify ConfigurationsStep 1. Verify IP addresses.Verify 核实，查证Step 2. Verify routing tables.Step 3. Test connectivity.（连通性）From PC-A,pingPC-C at IP address .Task 2: Secure the RoutersStep 1. Set minimum（最小值） a password length of 10 characters on router R1 and R3.Step 2. Configure（安装） an enable secret password on router R1 and R3.Use an enable secret password ofciscoenpa55.Step 3. Encrypt plaintext passwords.（将明文译成密码）此命令将配置文件中的当前和将来的所有明文密码加密为密文Step 4. Configure the console lines on R1 and R3.Configure a console password ofciscoconpa55and enable login（进入系统，登陆）. Set theexec-timeoutto log（记录） out after5minutes of inactivity（静止）. Prevent console messages from interrupting command entry.（进入）Step 5. Configure vty lines on R1.Configure a vty line password ofciscovtypa55and enable login. Set theexec-timeoutto log out after5minutes of inactivity. Set the login authentication（认证） to use the default（系统默认值） AAA list to be defined later.Note（注意）: The vty lines on R3 will be configured（配置） for SSH in a later task.（工作）Step 6. Configure login banner（登陆提示banner，旗帜，标语） on R1 and R3.Configure a warning（警告） to unauthorized（非法的） users with a message-of-the-day (MOTD) banner that says: “No Unauthorized Access!”.Task 3: Configure Local Authentication on R1 and R3Step 1. Configure the local user database.（数据库）Create a local user account（账户） ofAdmin01with a secret password ofAdmin01pa55.Privilege（特权）用此用户名登陆的用户访问特权级别为15（详见书29页）Step 2. Enable AAA services.Step 3. Implement（实施，执行） AAA services using the local database.（本地数据库）Create the default login authentication method list using local authentication with no backup （备份）method.（详见p47）Task 4: Configure NTPStep 1. Enable NTP authentication on PC-A.On PC-A, choose theConfigtab, and then theNTPbutton（按钮）. SelectOnfor NTP service.Enableauthentication and enter（进入） a Key of1and a password ofciscontppa55.Step 2. Configure R1 as an NTP Client.（客户）Configure NTP authentication Key1with a password ofciscontppa55. Configure R1 to synchronize（同步） with the NTP server and authenticate using Key1.Step 3. Configure routers to update hardware（硬件） clock.Configure routers to periodically（定期地） update the hardware clock with the time learned from NTP.Task 5: Configure R1 as Syslog ClientStep 1. Configure R1 to timestamp（时间戳） log messages.Configure timestamp service for logging on the routers.Step 2. Configure R1 to log messages to the syslog server.Configure the routers to identify (识别)the remote（远程） host（主机） (syslog server) that will receive（接受） logging messages.You should see a console message similar（相似的） to the following:SYS-6-LOGGINGHOST_STARTSTOP: Logging to host port 514 started - CLI initiatedStep 3. Check（检查） for syslog messages on PC-B.On R1, exit config mode（模式） to generate（使形成） a syslog message. Open the syslog server on PC-B to view the message sent from R1. You should see a message similar to the following on the syslog server:%SYS-5-CONFIG_I: Configured from console by consoleTask 6: Secure Router Against9（反对） Login Attacks（攻击）Step 1. Log unsuccessful login attempts（攻击） to R1.Step 2. Telnet(远程登陆)to R1 from PC-A.Telnet from PC-A to R1 and provide(提供) the usernameAdmin01and passwordAdmin01pa55. The Telnet should be successful.Step 3. Telnet to R1 from PC-A and check syslog messages on the syslog server.Exit from the current Telnet session and Telnet again to R1 using the username ofbaduserand any password. Check the syslog server on PC-B. You should see an error message similar to the following that is generated by the failed login attempt.SEC_LOGIN-4-LOGIN_FAILED:Login failed user:baduser Source:localport:23 Reason:Invalid login at 15:01:23 UTC Wed June 17 2009Task 7: Configure SSH on R3Step 1. Configure a domain（域名） name.Configure a domain name on R3.Step 2. Configure the incoming（引入的） vty lines on R3.Use the local user accounts for mandatory（强制的） login and validation（生效） and accept only SSH connections（连接）.Step 3. Configure RSA encryption（加密） key pair（秘钥对） for R3.Any existing（当前的） RSA key pairs should be erased（清除） on the router. If there are no keys currently（当前） configured a message will be displayed（显示的） indicating（表明，指示） this. Configure the RSA keys with a modulus（系数） of 1024.Step 4. Configure SSH timeouts(超时设定) and authentication parameters.（参数）Set the SSH timeout to90seconds, the number of authentication retries（重试次数） to2, and the version（版本） to2.Task 8: Configure CBAC on R1Step 1. Configure a named IP ACL.Create an IP ACL namedOUT-INto block （阻止）all traffic originating（起源） from the outside network.Apply （应用）the access list to incoming traffic on interface Serial 0/0/0.Step 2. Confirm that traffic entering（进入） interface Serial 0/0/0 is dropped.From the PC-A command prompt,pingPC-C. The ICMP echo（重复） replies（回答） are blocked（禁止） by the ACL.Step 3. Create an inspection（检查） rule to inspect（检查） ICMP, Telnet and HTTP traffic.Create an inspection rule namedIN-OUT-INto inspectICMP,TelnetandHTTPtraffic.Step 4. Apply the inspect rule to the outside interface.Apply the IN-OUT-IN inspection rule to the interface where traffic exits（出口） to outside networks.Step 5. Test operation（操作） of the inspection rule.From the PC-A command prompt,pingPC-C. The ICMP echo replies should be inspected and allowed through.Task 9: Configure ZPF on R3Step 1. Test connectivity.（连通性）Verify that the internal（内部的） host can access external resources.（使用外部资源）From PC-C, test connectivity withpingand Telnet to R2; all should be successful.From R2pingto PC-C. The pings should be allowed.Step 2. Create the firewall zones.Create an internal zone namedIN-ZONE.Create an external zone namedOUT-ZONE.Step 3. Create an ACL that defines（规定） internal traffic.Create an extended（扩展的）, numbered ACL that permits all IP protocols（协议） from the /24 source network to any destination.（目的地） Use101for the ACL number.Step 4. Create a class map referencing(引用) the internal traffic ACL.Create a class map namedIN-NET-CLASS-MAPto match（匹配） ACL 101.（详见p92）Step 5. Specify firewall policies.（指定防火墙策略）Create a policy（策略） map namedIN-2-OUT-PMAPto determine（决定） what to do with matched traffic.Specify a class type ofinspectand reference class mapIN-NET-CLASS-MAP.Specify the action ofinspectfor this policy mapYou should see the following console message:%No specific protocol configured in class IN-NET-CLASS-MAP for inspection. All protocols will be inspected.”Exit to the global config prompt.（全局配置模式）Step 6. Apply firewall policies.Create a zone pair namedIN-2-OUT-ZPAIR. Specify the source and destination zones that were created earlier.Attach（附加） a policy map and actions to the zone pair referencing the policy map previously created,IN-2-OUT-PMAP.Exit to the global config prompt and assign（分配） the internal and external interfaces to the security zones.Step 7. Test firewall functionality.（功能）Verify that the internal host can still access external resources.From PC-C, test connectivity withpingand Telnet to R2; all should be successful.From R2pingto PC-C. The pings should now be blocked.Task 10: Secure the SwitchesStep 1. Configure an enable secret password on all switches.Use an enable secret password ofciscoenpa55.Step 2. Encrypt plaintext passwords.（将明文译成密码）Step 3. Configure the console lines on all switches.Configure a console password ofciscoconpa55and enable login. Set theexec-timeoutto log out after5minutes of inactivity. Prevent console messages from interrupting command entry.Step 4. Configure vty lines on all switches.Configure a vty line password ofciscovtypa55and enable login. Set theexec-timeoutto log out after5minutes of inactivity. Set the basic login parameter.Step 5. Secure trunk ports（端口） on S1 and S2.Configure port Fa0/1 on S1 as a trunk port.Configure port Fa0/1 on S2 as a trunk port.Verify that S1 port Fa0/1 is in trunking mode.Set the native VLAN（本征VLAN） on S1 and S2 trunk ports to an unused（不用的） VLAN 99.Set the trunk ports on S1 and S2 so that they do not negotiate（转让） by turning off the generation of DTP frames.（防止DTP数据帧产生）Enable storm（风暴） control for broadcasts on the S1 and S2 trunk portswith a 50 percent rising suppression level.Step 6. Secure access ports.Disable trunking on S1, S2 and S3 access ports.Enable PortFast on S1, S2, and S3 access ports.（详见P127）Enable BPDU guard（监视） on the switch ports previously（先前） configured as access only.Enable basic default port security on all end-user access ports that are in use. Use the sticky（粘连） option. Re-enable each access port to which port security was applied.Disable any ports not being used on each switch.（关闭未使用的端口）Task 11: VerificationStep 1. Test SSH configuration.Attempt to connect to R3 via Telnet from PC-C.From PC-C, enter the command to connect to R3 via Telnet at IP address .This connection should fail, since R3 has been configured to accept only SSH connections on the virtual terminal lines.From PC-C, enter thessh l Admin01 command to connect to R3 via SSH.When prompted for the password, enter the passwordAdmin01pa55configured for the local administrator.Use theshow ip sshcommand to see the configured settings.Step 2. Verify timestamps, NTP status for R1 and PC-A.Step 3. Test CBAC firewall on R1.Pingfrom PC-A to R2 at (should succeed)Telnetfrom PC-A to R2 (should succeed)Pingfrom R2 to PC-A at (should fail)Step 4. Test ZPF firewall on R3.Pingfrom PC-C to R2 at (should succeed)Telnetfrom PC-C to R2 at (should succeed)Pingfrom R2 to PC-C at (should fail)Telnetfrom R2 to R3 at (should fail only SSH is allowed)Step 5. Verify port security.On S2, use theshow runcommand to confirm that S2 has added a sticky MAC address for Fa0/18. This should be the MAC address of PC-B. Record the MAC address for later use.Select PC-B. Go to theConfigtab. Select FastEthernet under theInterfacese