CCNP 1 OSPF

Guia CCNA Security v4

Router Security2Privilege Level4CLI Views6SSH8Setup AAA:12AAA Base de datos Local15Escenario 115Escenario 216Escenario 316Banner Messages17Auto Secure19

Router Security

En R1 configurar de manera que solo se permita configurar passwords con un mnimo de 5 caracteres. Las password deben ser ilegibles si utilizamos el comando show running-config. Crear el usuario admin password cisco. Si accedemos por consola deberemos loguearnos en la base de datos local.

R1security passwords min-length 5

R1(config)#enable password nico% Invalid Password length - must contain 5 to 25 characters. Password configuration failed

R1(config)#enable password cisco

R1service password-encryption

R1#show running-config | include enableenable password 7 094F471A1A0A

R1username admin password cisco

line con 0 login local

R1#exitR1 con0 is now availablePress RETURN to get started.

User Access VerificationUsername:adminPassword:ciscoR1>enableR1#

En R1 habilitar un timeout de expiracin de consola en 2 horas con 30 segundos.

Normalmente el tiempo de expiracin lo dejo en infinito (exec-timeout 0 0)para no tener que loguearme a cada rato si ese plazo se vence, como en este caso se requiere ingresar los valores utilizaremos ventanas de tiempo grandes.

R1line con 0 exec-timeout 120 30

R1#show line console 0 | section TimeoutsTimeouts: Idle EXEC Idle Session Modem Answer Session Dispatch02:00:30 never none not set Idle Session Disconnect Warning never Login-sequence User Response 00:00:30Autoselect Initial Wait not set

Privilege Level En R1crear dos usuarios con las siguientes caractersticas Definir password para modo privilegiado utilizando la palabra clave cisco.UsuarioPasswordComandos disponibles (EXEC)

adminciscoTodos los comandos (high privilege)

nocnetworkShow, ping, traceroute

R1username noc privilege 2 password network

privilege exec level 2 tracerouteComment by Nicolas Montero: Considerar denegacin privilege exec level 2 traceroute ping.privilege exec level 2 pingprivilege exec level 2 show

username admin privilege 15 password cisco

Para forzar a que los usuarios se tengan que identificar (login) con la base de datos local utilizamos:

R1line con 0 login local

O alternativamente podemos utilizar AAA local.

aaa new-modelComment by Nicolas Montero: No debemos usar este comando si ya habilitamos login local en la consola. aaa authentication login default local none

R1#exitR1 con0 is now available

Press RETURN to get started.

%SYS-5-CONFIG_I: Configured from console by console

User Access VerificationUsername: nocPassword:network

R1#show privilegeCurrent privilege level is 2

R1#conf t ^% Invalid input detected at '^' marker.

R1#ping 10.2.2.2Sending 5, 100-byte ICMP Echos to 10.2.2.2, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 32/72/100 ms

Ahora comprobamos el nivel de privilegio del usuario admin (nivel 15).

R1#exitR2 con0 is now availablePress RETURN to get started.

User Access Verification

Username: adminPassword:cisco

R1#show privilegeCurrent privilege level is 15

R1#conf tEnter configuration commands, one per line. End with CNTL/Z.R1(config)#R1(config)#router bgp 20.20

CLI Views

Configurar CLI Views en R2. Crear dos perfiles con las siguientes caractersticas:

UsuarioPassword ViewComandos

ADMINadminTodos los comandos show salvo show version. ping, configure.

NOCnocping

R2aaa new-modelenable secret cisco

R2#enable viewPassword:cisco

R2#%PARSER-6-VIEW_SWITCH: successfully set to view 'root'.

configure terminal

parser view ADMIN secret admin commands exec include configure commands exec exclude show version commands exec include all show

parser view NOC secret noc commands exec include-exclusive ping

R2#disableR2>R2>enable view ADMINPassword:adminR2#show ? aaa Show AAA values access-expression List access expression access-lists List access lists acircuit Access circuit info adjacency Adjacent nodes aliases Display alias commands alignment Show alignment information ancp ANCP information aps APS information archive Archive functions**R2#show version ^% Invalid input detected at '^' marker.

R2#configureConfiguring from terminal, memory, or network [terminal]?Enter configuration commands, one per line. End with CNTL/Z.

R2(config)#?Configure commands: do-exec To run exec commands in config mode exit Exit from configure mode

R2(config)#end ^% Invalid input detected at '^' marker.

R2(config)#exit

Entramos con el perfil de NOC y comprobamos que solo tenemos la opcin ping

R2#exitR2>R2>enable view NOCPassword:noc

R2#?Exec commands: do-exec Mode-independent "do-exec" prefix support enable Turn on privileged commands exit Exit from the EXECping Send echo messages show Show running system information

R2#ping 10.1.12.1Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.1.12.1, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 32/42/52 ms

SSH

Configurar enrutamiento esttico o dinmico de manera que exista conectividad completa entre todos los routers incluyendo su interfaces loopbacks0. Configurar Telnet en R1utilizando password r111. Configurar Telnet en R2 para sesiones entrantes y SSH para sesiones salientes, solo se permite establecer sesin SSH con los ID (loopbacks0) de cada router. Utilizar las siguientes polticas: Domain Name: duoc.cl Utilizar version SSH 2.0 (1.9) Autentificar en funcin de base de datos local utilizando AAA La autentificacin solo se debe establecer en line VTY. Mostrar eventos SSH en consola de R1, sesion exitosas y fallidas. El usuariopara SSH es el siguiente:

UsuarioPassword

jadmincisco123

R1 puede acceder a R2 a travs de telnet pero desde R2 solo puede acceder a R3 a utilizando SSH. Configurar en R3 SSH para sesiones entrantes, solo se permite establecer sesin SSH con los ID (loopbacks0) de cada router. Utilizar las siguientes polticas: Domain Name: duoc.cl Utilizar version SSH 2.0 (1.9) Autentificar en funcin de base de datos local utilizando AAA La autentificacin solo se debe establecer en line VTY. Mostrar eventos SSH en consola de R1, sesion exitosas y fallidas. El usuario para SSH es el siguiente:

UsuarioPassword

admincisco

Configure la password cisco para acceder al modo privilegiado en todos los routers.

R1router eigrp 1 network 10.0.0.0 no auto-summary

R2router eigrp 1 network 10.0.0.0 no auto-summary

R3router eigrp 1 network 10.0.0.0 no auto-summary

R2#show ip eigrp neighborsEIGRP-IPv4 Neighbors for AS(1)H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num1 10.1.23.3 Fa0/1 10 00:00:11 159 954 0 30 10.1.12.1 Fa0/0 13 00:00:13 1571 5000 0 4

R1#sh ip route eigrpCodes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP + - replicated route, % - next hop override

Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 7 subnets, 2 masksD 10.1.23.0/24 [90/30720] via 10.1.12.2, 00:01:12, FastEthernet0/0D 10.2.2.2/32 [90/156160] via 10.1.12.2, 00:01:12, FastEthernet0/0D 10.3.3.3/32 [90/158720] via 10.1.12.2, 00:00:06, FastEthernet0/0

Configuracion lines VTY

R1line vty 0 4 password cisco login

enable secret cisco

R2ip domain-name duoc.clcrypto key generate rsa usage-keysHow many bits in the modulus [512]: 1024

%SSH-5-ENABLED: SSH 1.99 has been enabled

ip ssh logging events

aaa new-modelusername jadmin password cisco123aaa authentication login VTY-LOCAL local

line vty 0 4login authentication VTY-LOCALtransport input telnettransport output ssh

R3ip domain-name duoc.clcrypto key generate rsa usage-keysHow many bits in the modulus [512]: 1024

%SSH-5-ENABLED: SSH 1.99 has been enabled

ip ssh logging events

aaa new-modelusername admin password ciscoaaa authentication login VTY-LOCAL local

line vty 0 4 login authentication VTY-LOCALtransport input ssh

R1 acceder a R2 a travs de telnet, pero desde R2 solo podr acceder a R3 a travs SSH, es decir, al permetro de seguridad.

R1#telnet 10.2.2.2Trying 10.2.2.2 ... Open

User Access Verification

Username: jadminPassword:cisco123

R2>enablePassword:cisco

R2#telnet 10.3.3.3% telnet connections not permitted from this terminal

R2#ssh -l admin -c 3des 10.3.3.3

Password:ciscoR3>enPassword:cisco

R3#*Aug 17 10:41:11.059: %SSH-5-SSH2_SESSION: SSH2 Session request from 10.1.23.2 (tty = 0) using crypto cipher '3des-cbc', hmac 'hmac-sha1' SucceededR3#*Aug 17 10:41:14.523: %SSH-5-SSH2_USERAUTH: User 'admin' authentication for SSH2 Session from 10.1.23.2 (tty = 0) using crypto cipher '3des-cbc', hmac 'hmac-sha1' Succeeded

R3#show users Line User Host(s) Idle Location* 0 con 0 idle 00:00:00 2 vty 0 admin idle 00:01:00 10.1.23.2

Interface User Mode Idle Peer Address

Setup AAA:Configurar AAA en R1con las siguientes caractersticas para la autentificacin: Crear usuario U4 password cisco. Proceso AAA debe pedir usuario y contrasea utilizando Usuario: , Password: . El usuario solo puede acceder al router utilizando sistema case sensitive. Crear banner que tenga el siguiente mensaje $ Autentificacin AAA $ El maximo nmero de intentos es 3 antes de volver a pedir autenticacin, luego se bloquear el permiso para el usuario. Si el usuario no puede autentificarse se debe desplegar el siguiente mensaje: Autentificacin invalida, intentelo nuevamente El usuario debe autentificarse en funcin de la base de datos localPara poder probar inmediatamente lo que hemos configurado podramos habilitar el login en la consola.

R1username U4 password ciscoaaa new-modelaaa authentication password-prompt Password:aaa authentication username-prompt Usuario:aaa authentication login CONS local-case

R1User Access Verification

Usuario:u4Password:cisco

% Authentication failed

Usuario:U4Password:cisco

R1aaa authentication banner $ Autentificacion AAA $

R1>exitPress RETURN to get started.

Autentificacion AAAUsuario:U4Password:cisco

Para comprobar si funciona esta configuracin debemos crear un super usuario en caso de que bloqueemos al usauario U4. Luego de las pruebas debemos desbloquear al usuario U4.

R1username admin privilege 15 password ciscoaaa authentication attempts login 3aaa local authentication attempts max-fail 3

Usuario:U4Password:111

Usuario:U4Password:222

Usuario:U4Password:333

%AAA-5-USER_LOCKED: User U4 locked out on authentication failure% Authentication failed

Usuario:adminPassword:

R1#show aaa local user lockout Local-user Lock timeU4 15:20:39 UTC Wed Sep 14 2011

R1#clear aaa local user lockout username U4R1#%AAA-5-USER_UNLOCKED: User U4 unlocked by admin on console

Ahora podemos volver a intentarlo como usuario U4. Para la casa.

R1aaa authentication fail-message $ AUTENTIFICACISN INVALIDA, INTENTELO NUEVAMENTE $

Usuario:U4Password:1111AUTENTIFICACISN INVALIDA, INTENTELO NUEVAMENTEUsuario:U4Password:ciscoR1>

La configuracin nos quedara de la siguiente manera:aaa new-modelaaa local authentication attempts max-fail 3

aaa authentication banner ^C Autentificacin AAA ^Caaa authentication fail-message ^C AUTENTICATIOIN INVALIDA, INTENTELO NUEVAMENTE ^Caaa authentication password-prompt Password:aaa authentication username-prompt Usuario:aaa authentication login CONS local-case

username U4 password 0 ciscousername admin privilege 15 password 0 cisco

line con 0 login authentication CONS

AAA Base de datos Local

R1interface GigabitEthernet0/0 ip address 10.1.12.1 255.255.255.0 no shut

R2interface GigabitEthernet0/0 ip address 10.1.12.2 255.255.255.0 no shut

Rxrouter eigrp 1network 10.0.0.0

Escenario 1. Accedemos R2 via telnet usando la pasword de enable (modo exec).

R2aaa new-modelaaa authentication login TELNET enableenable secret cisco

line vty 0 4 login authentication TELNET

R1#telnet 10.2.2.2Trying 10.2.2.2 ... Open

User Access Verification

Password:ciscoCorresponde a la misma password que configuramos con enable secret (cisco)

R2>R2>enablePassword:cisco

Escenario 2. Accedemos R2 via telnet usando la base de datos local. Debemos crear un user y su password.Nota: Borrar configuracin anterior. Si est configurado aaa new-model no podremos utilizar la base de datos local directamente en line vty.

R2username admin password admin

line vty 0 4 login local

R1#telnet 10.2.2.2Trying 10.2.2.2 ... Open

User Access Verification

Username: adminPassword:adminR2>enPassword:cisco

Escenario 3. Accedemos R2 via telnet usando si usar password. Como veremos no tendremos que autenticarnos. Salvo si queremos entrar al modo privilegiado.

R2aaa new-modelaaa authentication login TELNET none

line vty 0 4 login authentication TELNET

R1#telnet 10.2.2.2Trying 10.2.2.2 ... OpenR2>

Banner Messages Configure R1 con el mensaje del dia (message of the day = motd) que se muestra a continuacin:

-------------------------------------------------------------------------Te has conectado al router R1 en el puerto de consola 0. XXXXXXXX /| XXXXXXXX|\XXXXXXXXX /*/ XXXXXXXXXXXXXX\*\XXXXXXXXXXXX |**\ X _____XXXXXXXXX/**|XXXXXXXXXXXXX |***\ X_/ \_ /***|___XXXXXXXXXXXX \******* *******/ XXXXX \\XXXXXXX \**** / \ *****/ XXXXX \\XXXXXXX XXXX| 0 0 | XXXXX \XXXXXXX XXXXX | | XXXXX \XXXXXXX XXXXXX \ / XXXXX |________// XXXXXX \ / XXXXX |XXXXXX XXXXXX | O_O | XXXXX ||XXXXX XXXXX \ _ / XXXXX \XXX XXXX| : |XXXX /\ \ _ XXX\_/XXX |\__\ _____/ \ \ ) |_| XXXXXX< | | | XX| |X\_ | _ XXX/ |X XXXX/ | | | |_| |___|XXXX| |XXXXXXXXX|___| | \ XXXXXX/ \XXXXXXXX |____|

Empresas Red Bull Gerencia Informatica

Ubicacion: Av. Bernardo Prat # 1559, Piso 2 !!!! Atencion !!!! Notificar al Area Administracion de Redes cualquier modificacion.------------------------------------------------------------------------ Cisco Router 7200

En el modo de configuracin global agregamos:

banner motd ^CC-------------------------------------------------------------------------Te has conectado al router $(hostname) en el puerto de consola $(line).

XXXXXXXX /| XXXXXXXX|\XXXXXXXXX /*/ XXXXXXXXXXXXXX\*\XXXXXXXXXXXX |**\ X _____XXXXXXXXX/**|XXXXXXXXXXXXX |***\ X_/ \_ /***|___XXXXXXXXXXXX \******* *******/ XXXXX \\XXXXXXX \**** / \ *****/ XXXXX \\XXXXXXX XXXX| 0 0 | XXXXX \XXXXXXX XXXXX | | XXXXX \XXXXXXX XXXXXX \ / XXXXX |________// XXXXXX \ / XXXXX |XXXXXX XXXXXX | O_O | XXXXX ||XXXXX XXXXX \ _ / XXXXX \XXX XXXX| : |XXXX /\ \ _ XXX\_/XXX |\__\ _____/ \ \ ) |_| XXXXXX< | | | XX| |X\_ | _ XXX/ |X XXXX/ | | | |_| |___|XXXX| |XXXXXXXXX|___| | \ XXXXXX/ \XXXXXXXX |____|

Empresas Red Bull Gerencia Informatica Ubicacion: Av. Bernardo Prat # 1559, Piso 2 !!!! Atencion !!!! Notificar al Area Administracion de Redes cualquier modificacion.------------------------------------------------------------------------ Cisco Router 7200 ^C

Auto Secure

R1#auto secure --- AutoSecure Configuration ---

*** AutoSecure configuration enhances the security ofthe router but it will not make router absolutely securefrom all security attacks ***

All the configuration done as part of AutoSecure will beshown here. For more details of why and how this configurationis useful, and any possible side effects, please refer to Ciscodocumentation of AutoSecure.At any prompt you may enter '?' for help.Use ctrl-c to abort this session at any prompt.

If this device is being managed by a network management station,AutoSecure configuration may block network management traffic.Continue with AutoSecure? [no]:yes

Gathering information about the router for AutoSecureIs this router connected to internet? [no]:no

Securing Management plane services..

Disabling service fingerDisabling service padDisabling udp & tcp small serversEnabling service password encryptionEnabling service tcp-keepalives-inEnabling service tcp-keepalives-outDisabling the cdp protocol

Disabling the bootp serverDisabling the http serverDisabling the finger serviceDisabling source routingDisabling gratuitous arp

Here is a sample Security Banner to be shownat every access to device. Modify it to suit yourenterprise requirements.

Authorized Access only This system is the property of So-&-So-Enterprise. UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED. You must have explicit permission to access this device. All activities performed on this device are logged. Any violations of access policy will result in disciplinary action.

Enter the security banner {Put the banner betweenk and k, where k is any character}:k cisco kEnter the new enable password:Confirm the enable password:

Configuration of local user databaseEnter the username: nicoEnter the password:Confirm the password:Configuring AAA local authenticationConfiguring console, Aux and vty lines forlocal authentication, exec-timeout, transportSecuring device against Login AttacksConfigure the following parameters

Blocking Period when Login Attack detected:Device not secured against 'login attacks'.

Configure SSH server? [yes]: no

Configuring interface specific AutoSecure servicesDisabling the following ip services on all interfaces:

no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-replyDisabling mop on Ethernet interfaces

Securing Forwarding plane services..

Enabling unicast rpf on all interfaces connectedto internetTcp intercept feature is used prevent tcp syn attackon the servers in the network. Create autosec_tcp_intercept_listto form the list of servers to which the tcp traffic is tobe observed

Enable tcp intercept feature? [yes/no]: yes

This is the configuration generated:

no service fingerno service padno service udp-small-serversno service tcp-small-serversservice password-encryptionservice tcp-keepalives-inservice tcp-keepalives-outno cdp runno ip bootp serverno ip http serverno ip fingerno ip source-routeno ip gratuitous-arpsno ip identdbanner motd ^C cisco ^Csecurity passwords min-length 6security authentication failure rate 10 logenable password 7 05050F0C2E404F1Ausername nico password 7 05050F0C2E404F1Aaaa new-modelaaa authentication login local_auth localline console 0 login authentication local_auth exec-timeout 5 0 transport output telnetline aux 0 login authentication local_auth exec-timeout 10 0 transport output telnetline vty 0 4 login authentication local_auth transport input telnetservice timestamps debug datetime msec localtime show-timezoneservice timestamps log datetime msec localtime show-timezonelogging facility local2logging trap debuggingservice sequence-numberslogging console criticallogging bufferedint FastEthernet0/0 no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply no mop enabledint FastEthernet0/1 no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply no mop enabledip access-list extended 100 permit udp any any eq bootpcip tcp intercept list autosec_tcp_intercept_listip tcp intercept drop-mode randomip tcp intercept watch-timeout 15ip tcp intercept connection-timeout 3600ip tcp intercept max-incomplete low 450ip tcp intercept max-incomplete high 550!end

De una pequea definicin de cada uno de los servicios indicados en la salida anterior.

4

@ NMT 2013