© 2006 Cisco Systems, Inc. All rights reserved. SND v2.01 © 2006 Cisco Systems, Inc. All rights reserved.SND v2.01 Securing Cisco Network Devices (SND) v2.0

© 2006 Cisco Systems, Inc. All rights reserved. SND v2.0LG-2 Lab Guide

© 2006 Cisco Systems, Inc. All rights reserved. SND v2.03 Activity 1-1: Nmap Scan Results C:\>nmap -v -sS -O -p Starting Nmap 4.01 ( ) at :57 Pacific Standard Time DNS resolution of 1 IPs took 0.45s. Mode: Async [#: 2, OK: 1, NX: 0, DR: 0, SF: 0, TR: 1, CN: 0] Initiating SYN Stealth Scan against ns1.cisco.com ( ) [1023 ports] at 15:57 Discovered open port 53/tcp on The SYN Stealth Scan took 24.30s to scan 1023 total ports. Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port For OSScan assuming port 53 is open, is closed, and neither are firewalled For OSScan assuming port 53 is open, is closed, and neither are firewalled Insufficient responses for TCP sequencing (0), OS detection may be less accurate For OSScan assuming port 53 is open, is closed, and neither are firewalled Insufficient responses for TCP sequencing (0), OS detection may be less accurate Host ns1.cisco.com ( ) appears to be up... good. Interesting ports on ns1.cisco.com ( ): (The 1022 ports scanned but not shown below are in state: filtered) PORT STATE SERVICE 53/tcp open domain No OS matches for host (test conditions non-ideal). Continued in next figure

© 2006 Cisco Systems, Inc. All rights reserved. SND v2.04 Activity 1-1: Nmap Scan Results (Cont.) TCP/IP fingerprint: SInfo(V=4.01%P=i686-pc-windows-windows%D=3/8%Tm=440F6F8C%O=53%C=-1) TSeq(Class=TR%IPID=Z) T1(Resp=Y%DF=Y%W=16A0%ACK=O%Flags=A%Ops=NNT) T1(Resp=Y%DF=Y%W=16A0%ACK=S++%Flags=AS%Ops=MNNTNW) T2(Resp=Y%DF=N%W=400%ACK=S%Flags=AR%Ops=WNMETL) T2(Resp=Y%DF=N%W=800%ACK=S%Flags=AR%Ops=WNMETL) T2(Resp=Y%DF=N%W=1000%ACK=S%Flags=AR%Ops=WNMETL) : T7(Resp=N) T7(Resp=Y%DF=Y%W=16D0%ACK=O%Flags=AS%Ops=M) PU(Resp=N) Nmap finished: 1 IP address (1 host up) scanned in seconds Raw packets sent: 2103 (95.2KB) | Rcvd: 62 (3342B) C:\>

© 2006 Cisco Systems, Inc. All rights reserved. SND v2.05 Visual Objective for Lab Activity 1-4: Developing a Comprehensive Network Security Policy Internet PSTN Telecommuters and Mobile Workers SPAN Engineering Network Security Policies Span Engineering Acceptable Use Policy

© 2006 Cisco Systems, Inc. All rights reserved. SND v x.1 DMZ (Fa0/0) 10.x.x.1/ x.2/24 BB 10.x.x.2/30 Px-PR S0/0/0 Fa0/1 Pod x Configure Passwords, Role-Based CLI, and Banner Messages on Px-PR Fa0/0 S0/0/0 Outside (Untrusted) Inside (Trusted) Terminal Server x.x.x.x** **Ask your instructor for these IP addresses. Px-Private x.1/24 Fa0/1 Remote Connection Visual Objective for Lab 2-1: Securing Administrative Access to Cisco Routers

© 2006 Cisco Systems, Inc. All rights reserved. SND v x.1 DMZ (Fa0/0) 10.x.x.1/ x.2/24 BB 10.x.x.2/30 Px-PR S0/0/0 Fa0/1 Pod x Configure AAA Using Local Database Fa0/0 S0/0/0 Outside (Untrusted) Inside (Trusted) Terminal Server x.x.x.x** **Ask your instructor for these IP addresses. Px-Private x.1/24 Fa0/1 Remote Connection Visual Objective for Lab 2-2: Configuring AAA for Cisco Routers

© 2006 Cisco Systems, Inc. All rights reserved. SND v x.1 DMZ (Fa0/0) 10.x.x.1/ x.2/24 BB 10.x.x.2/30 Px-PR S0/0/0 Fa0/1 UntrustedTrusted Pod x Fa0/0 S0/0/0 x.x.x.x** **Ask your instructor for these IP addresses x.1/24 Fa0/1 Untrusted Px-Private Use Cisco SDM Security Audit and One-Step Lockdown Remote Connection Visual Objective for Lab 2-3: Using Cisco SDM Security Audit

© 2006 Cisco Systems, Inc. All rights reserved. SND v2.09 Case Study 3-1: Using Layer 2 Security Features Problem: Unauthorized users can connect to the network and download confidential documents. Unauthorized User Confidential Plan Preventing Unwanted Access

© 2006 Cisco Systems, Inc. All rights reserved. SND v2.010 Case Study 3-1: Using Layer 2 Security Features (Cont.) Solution: Authentication using 802.1x with Cisco ACS to provide user authentication. Problem: Unauthorized users can connect to the network and download confidential documents. Unauthorized User 802.1x Security Cisco ACS Server Confidential Plan Preventing Unwanted Access

© 2006 Cisco Systems, Inc. All rights reserved. SND v2.011 Case Study 3-1: Using Layer 2 Security Features (Cont.) I am in. Problem: A company has installed wireless access points and uses WEP to secure them. Unauthorized users can connect to the WLAN and download confidential documents. Preventing Unwanted Wireless Access

© 2006 Cisco Systems, Inc. All rights reserved. SND v2.012 Case Study 3-1: Using Layer 2 Security Features (Cont.) Problem: A company has installed wireless access points and uses WEP to secure them. Unauthorized users can connect to the WLAN and download confidential documents. Solution: i (WPA2) specifies use of 802.1x authentication for WLANs. It is based on EAP and is superior to device- based (for example, MAC address) authentication. Preventing Unwanted Wireless Access

© 2006 Cisco Systems, Inc. All rights reserved. SND v2.013 Case Study 3-1: Using Layer 2 Security Features (Cont.) Problem: Laptops are frequently stolen because of their portable nature. This PC is stolen. Tracking Down Stolen Laptops

© 2006 Cisco Systems, Inc. All rights reserved. SND v2.014 Case Study 3-1: Using Layer 2 Security Features (Cont.) Problem: Laptops are frequently stolen because of their portable nature. Solution: MAC address notification informs network administrators when users are using the network and where they are; this information can be used to find the laptop. Alert Tracking Down Stolen Laptops

© 2006 Cisco Systems, Inc. All rights reserved. SND v2.015 Case Study 3-1: Using Layer 2 Security Features (Cont.) Executive (Blue VLAN, access to finance server 1) Finance server 1 has confidential finance information. Limiting Access to Networked Resources Problem: Access to the finance server should be limited to executives.

© 2006 Cisco Systems, Inc. All rights reserved. SND v2.016 Case Study 3-1: Using Layer 2 Security Features (Cont.) Problem: Access to the finance server should be limited to executives. Solution: Use IBNS to place the executive in the executive VLAN. Executive (Blue VLAN is executive VLAN; access granted to HR server 1) Employee (Red VLAN; no access to HR server 1) Finance server 1 has confidential finance information. Limiting Access to Networked Resources

© 2006 Cisco Systems, Inc. All rights reserved. SND v2.017 Case Study 3-1: Using Layer 2 Security Features (Cont.) Problem: Users may try to bring down a network by overloading a network with requests and traffic. Preventing Network Floods

© 2006 Cisco Systems, Inc. All rights reserved. SND v2.018 Case Study 3-1: Using Layer 2 Security Features (Cont.) Problem: Users may try to bring down a network by overloading a network with requests and traffic. Solution: Implement traffic policing to rate-limit the incoming traffic to the switch port. Use port security to limit the devices that can connect to the switch port. Preventing Network Floods

© 2006 Cisco Systems, Inc. All rights reserved. SND v2.019 Case Study 3-1: Using Layer 2 Security Features (Cont.) Problem: Individuals can add rogue or unauthorized access hubs and wireless access points. Wireless access point connects to switch. Controlling Unauthorized Network Expansion

© 2006 Cisco Systems, Inc. All rights reserved. SND v2.020 Case Study 3-1: Using Layer 2 Security Features (Cont.) Problem: Individuals can add rogue or unauthorized access hubs and wireless access points. Solution: Port security limits the number of MAC addresses allowed on a single port and allows only one device to be connected at a time. Wireless access point connects to switch, but user traffic cannot pass. Controlling Unauthorized Network Expansion

© 2006 Cisco Systems, Inc. All rights reserved. SND v2.021 Case Study 3-1: Using Layer 2 Security Features (Cont.) Loss of Privacy (Packet Sniffing) Unauthorized User Username: dan Password: grades Username: dan Password: grades Network Administrator Problem: Users can intercept administrative information and use it to disrupt the network. Protecting Management Traffic

© 2006 Cisco Systems, Inc. All rights reserved. SND v2.022 Case Study 3-1: Using Layer 2 Security Features (Cont.) Problem: Users can intercept administrative information and use it to disrupt the network. Solution: Encrypt all management traffic. For example, use SSH instead of Telnet. Privacy (Using Encryption) Unauthorized User Username: dan Password: grades $)(%&^$(*&a)t#> Protecting Management Traffic

© 2006 Cisco Systems, Inc. All rights reserved. SND v x.1 DMZ (Fa0/0) 10.x.x.1/ x.2/24 BB 10.x.x.2/30 Px-PR S0/0/0 Fa0/1 NAT OutsideNAT Inside Pod x Firewall and PAT Fa0/0 S0/0/0 Outside (Untrusted) Inside (Trusted) x.x.x.x** **Ask your instructor for these IP addresses. Px-Private x.1/24 Fa0/1 Remote Connection Visual Objective for Lab 4-1: Configuring a Cisco IOS Firewall

© 2006 Cisco Systems, Inc. All rights reserved. SND v x.1 DMZ (Fa0/0) 10.x.x.1/ x.2/24 BB 10.x.x.2/30 Px-PR S0/0/0 Fa0/1 NAT OutsideNAT Inside Pod x Cisco IOS IPS Fa0/0 S0/0/0 Outside (Untrusted) Inside (Trusted) x.x.x.x** **Ask your instructor for these IP addresses. Px-Private x.1/24 Fa0/1 Remote Connection Visual Objective for Lab 5-1: Configuring Cisco IOS IPS

© 2006 Cisco Systems, Inc. All rights reserved. SND v2.025 NAT OutsideNAT Inside x.1 DMZ (Fa0/0) 10.x.x.1/ x.2/24 BB 10.x.x.2/30 Px-PR S0/0/0 Fa0/1 Pod x Fa0/0 S0/0/0 x.x.x.x** **Ask your instructor for these IP addresses. Px-Private x.1/24 Fa0/ y.1 DMZ (Fa0/0) 10.y.y.1/ y.2/24 Py-PR S0/0/0 Fa0/1 Pod y Fa0/0 y.y.y.y** Py-Private y.1/24 Fa0/1 10.y.y.2/30 S0/0/0 Site-to-Site IPsec VPN Tunnel Remote Connection Visual Objective for Lab 6-1: Configuring Site-to-Site IPsec VPNs

© 2006 Cisco Systems, Inc. All rights reserved. SND v2.026 VPN Server VPN Client x.1 DMZ (Fa0/0) 10.x.x.1/ x.2/24 BB 10.x.x.2/30 Px-PR S0/0/0 Fa0/1 Pod x Fa0/0 S0/0/0 x.x.x.x** Px-Private x.1/24 Fa0/1 10.y.y.2/30 S0/0/0 Remote Connection Visual Objective for Lab 6-2: Configuring a Remote-Access VPN Client

© 2006 Cisco Systems, Inc. All rights reserved. SND v2.027