Lab5 de ddnp
Páginas: 8 (1753 palabras)
Publicado: 15 de noviembre de 2010
Lab 5.2 Securing a Router with Cisco AutoSecure
1.- Configure AutoSecure
R1# auto secure
--- AutoSecure Configuration ---
*** AutoSecure configuration enhances the security of
the router, but it will not make it absolutely resistant
to all security attacks ***
AutoSecure will modify the configuration of your device.
All configuration changes will be shown. Fora detailed
explanation of how the configuration changes enhance security
and any possible side effects, please refer to Cisco.com for
Autosecure documentation.
At any prompt you may enter '?' for help.
Use ctrl-c to abort this session at any prompt.
Gathering information about the router for AutoSecure
Is this router connected to internet? [no]: no
SecuringManagement plane services...
Disabling service finger
Disabling service pad
Disabling udp & tcp small servers
Enabling service password encryption
Enabling service tcp-keepalives-in
Enabling service tcp-keepalives-out
Disabling the cdp protocol
Disabling the bootp server
Disabling the http server
Disabling the finger service
Disabling source routingDisabling gratuitous arp
The following prompt appears, requesting that you create a security banner:
Here is a sample Security Banner to be shown
at every access to device. Modify it to suit your
enterprise requirements.
Authorized Access only
This system is the property of So-&-So-Enterprise.
UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.
You must have explicitpermission to access this
device. All activities performed on this device
are logged. Any violations of access policy will result
in disciplinary action.
Enter the security banner {Put the banner between
k and k, where k is any character}:
~CCNP Router
UNAUTHORIZED ACCESS PROHIBITED~
This lab will use “password” for the enable password and “secret” for the enable secret tomeet the minimum length practices:
Enable secret is either not configured or
is the same as enable password
Enter the new enable secret: secret
Confirm the enable secret : secret
Enter the new enable password: password
Confirm the enable password: password
Create a new user in the local user database, because AutoSecure enables AAA and uses local authentication. Use ausername and password of “ciscouser”:
Configuration of local user database
Enter the username: ciscouser
Enter the password: ciscouser
Confirm the password: ciscouser
Configuring AAA local authentication
Configuring Console, Aux and VTY lines for
local authentication, exec-timeout, and transport
The router will also enable some login enhancements, which it will needsome parameters for. Use a blocking period of 10 seconds, a maximum failure number of 5, and a maximum time period for crossing failed login attempts of 10.
Securing device against Login Attacks
Configure the following parameters
Blocking Period when Login Attack detected: 10
Maximum Login failures with the device: 5
Maximum time period for crossing the failed login attempts: 10The router will configure a Secure Shell (SSH) server, which will require a domain name. Use “cisco.com” as the domain name.
Configure SSH server? [yes]: yes
Enter the domain-name: cisco.com
AutoSecure disables some unneeded or potentially vulnerable services on each physical interface. You are prompted to enable Context-Based Access Control and TCP intercept:
Configuringinterface specific AutoSecure services
Disabling the following ip services on all interfaces:
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
Disabling mop on Ethernet interfaces
Securing Forwarding plane services...
Enabling CEF (This might impact the memory requirements for your platform)
Enabling unicast rpf on all...
1.- Configure AutoSecure
R1# auto secure
--- AutoSecure Configuration ---
*** AutoSecure configuration enhances the security of
the router, but it will not make it absolutely resistant
to all security attacks ***
AutoSecure will modify the configuration of your device.
All configuration changes will be shown. Fora detailed
explanation of how the configuration changes enhance security
and any possible side effects, please refer to Cisco.com for
Autosecure documentation.
At any prompt you may enter '?' for help.
Use ctrl-c to abort this session at any prompt.
Gathering information about the router for AutoSecure
Is this router connected to internet? [no]: no
SecuringManagement plane services...
Disabling service finger
Disabling service pad
Disabling udp & tcp small servers
Enabling service password encryption
Enabling service tcp-keepalives-in
Enabling service tcp-keepalives-out
Disabling the cdp protocol
Disabling the bootp server
Disabling the http server
Disabling the finger service
Disabling source routingDisabling gratuitous arp
The following prompt appears, requesting that you create a security banner:
Here is a sample Security Banner to be shown
at every access to device. Modify it to suit your
enterprise requirements.
Authorized Access only
This system is the property of So-&-So-Enterprise.
UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.
You must have explicitpermission to access this
device. All activities performed on this device
are logged. Any violations of access policy will result
in disciplinary action.
Enter the security banner {Put the banner between
k and k, where k is any character}:
~CCNP Router
UNAUTHORIZED ACCESS PROHIBITED~
This lab will use “password” for the enable password and “secret” for the enable secret tomeet the minimum length practices:
Enable secret is either not configured or
is the same as enable password
Enter the new enable secret: secret
Confirm the enable secret : secret
Enter the new enable password: password
Confirm the enable password: password
Create a new user in the local user database, because AutoSecure enables AAA and uses local authentication. Use ausername and password of “ciscouser”:
Configuration of local user database
Enter the username: ciscouser
Enter the password: ciscouser
Confirm the password: ciscouser
Configuring AAA local authentication
Configuring Console, Aux and VTY lines for
local authentication, exec-timeout, and transport
The router will also enable some login enhancements, which it will needsome parameters for. Use a blocking period of 10 seconds, a maximum failure number of 5, and a maximum time period for crossing failed login attempts of 10.
Securing device against Login Attacks
Configure the following parameters
Blocking Period when Login Attack detected: 10
Maximum Login failures with the device: 5
Maximum time period for crossing the failed login attempts: 10The router will configure a Secure Shell (SSH) server, which will require a domain name. Use “cisco.com” as the domain name.
Configure SSH server? [yes]: yes
Enter the domain-name: cisco.com
AutoSecure disables some unneeded or potentially vulnerable services on each physical interface. You are prompted to enable Context-Based Access Control and TCP intercept:
Configuringinterface specific AutoSecure services
Disabling the following ip services on all interfaces:
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
Disabling mop on Ethernet interfaces
Securing Forwarding plane services...
Enabling CEF (This might impact the memory requirements for your platform)
Enabling unicast rpf on all...
Leer documento completo
Regístrate para leer el documento completo.