CCNA Security Lab Manual - Cisco Networking Academy

CCNA Security Lab Manual Cisco Networking Academy Cisco Press 800 East 96th Street Indianapolis, Indiana 46240 USA CCNA Security Lab Manual Cisco Networking Academy Copyright© 2010 Cisco Systems, Inc. Published by: Cisco Press 800 East 96th Street Indianapolis, IN 46240 USA All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without written permission from the publisher, except for the inclusion of brief quotations in a review. Printed in the United States of America First Printing August 2009 Library of Congress Cataloging-in-Publication Data available upon request. ISBN-13: 978-1-58713-249-0 ISBN-10: 1-58713-249-4 Warning and Disclaimer This book is designed to provide information about networking. Every effort has been made to make this book as complete and as accurate as possible, but no warranty or fitness is implied. The information is provided on an "as is" basis. The authors, Cisco Press, and Cisco Systems, Inc. shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the information contained in this book or from the use of the discs or programs that may accompany it. The opinions expressed in this book belong to the author and are not necessarily those of Cisco Systems, Inc. Trademark Acknowledgments All terms mentioned in this book that are known to be trademarks or service marks have been appropriately capitalized. Cisco Press or Cisco Systems, Inc., cannot attest to the accuracy of this information. Use of a term in this book should not be regarded as affecting the validity of any trademark or service mark. ii Feedback Information At Cisco Press, our goal is to create in-depth technical books of the highest quality and value. Each book is crafted with care and precision, undergoing rigorous development that involves the unique expertise of members from the professional technical community. Readers` feedback is a natural continuation of this process. If you have any comments regarding how we could improve the quality of this book, or otherwise alter it to better suit your needs, you can contact us through email at feedback@ciscopress.com. Please make sure to include the book title and ISBN in your message. We greatly appreciate your assistance. Publisher Associate Publisher Cisco Representative Cisco Press Program Manager Executive Editor Managing Editor Editorial Assistant Cover Designer Proofreader Paul Boger Dave Dusthimer Erik Ullanderson Anand Sundaram Mary Beth Ray Patrick Kanouse Vanessa Evans Louisa Adair Apostrophe Editing Services Americas Headquarters Cisco Systems, Inc. San Jose, CA Asia Pacific Headquarters Cisco Systems (USA) Pte. Ltd. Singapore Europe Headquarters Cisco Systems International BV Amsterdam, The Netherlands Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/offices. CCDE, CCENT, Cisco Eos, Cisco Lumin, Cisco Nexus, Cisco StadiumVision, the Cisco logo, DCE, and Welcome to the Human Network are trademarks.; Changing the Way We Work, Live, Play, and Learn is a service mark; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries. All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0805R) iii Contents Chapter 1: Lab A: Researching Network Attacks and Security Audit Tools......................................................................................................1 Part 1. Researching Network Attacks ....................................................................................................................................................................2 Part 2. Researching Security Audit Tools..............................................................................................................................................................3 Chapter 2: Lab A: Securing the Router for Administrative Access.....................................................................................................................5 Part 1. Basic Router Configuration.........................................................................................................................................................................7 Part 2. Control Administrative Access for Routers.................................................................................................................................................8 Part 3. Configure Administrative Roles................................................................................................................................................................17 Part 4. Configure IOS Resilience and Management Reporting...........................................................................................................................21 Part 5. Configure Automated Security Features..................................................................................................................................................32 Chapter 3: Lab A" Securing Administrative Access Using AAA and RADIUS ................................................................................................46 Part 1. Basic Network Device Configuration........................................................................................................................................................48 Part 2. Configure Local Authentication.................................................................................................................................................................50 Part 3. Configure Local Authentication Using AAA on R3...................................................................................................................................52 Part 4. Configure Centralized Authentication Using AAA and RADIUS..............................................................................................................59 Chapter 4: Lab A: Configuring CBAC and Zone-Based Firewalls.....................................................................................................................72 Part 1. Basic Router Configuration.......................................................................................................................................................................74 Part 2. Configuring a Context-Based Access Control (CBAC) Firewall..............................................................................................................82 Part 3. Configuring a Zone-Based Firewall (ZBF) Using SDM............................................................................................................................92 Chapter 5: Lab A: Configuring an Intrusion Prevention System (IPS) Using the CLI and SDM..................................................................105 Part 1. Basic Router Configuration.....................................................................................................................................................................107 Part 2. Configuring IPS Using the Cisco IOS CLI..............................................................................................................................................109 Part 3. Configuring IPS using SDM....................................................................................................................................................................123 Chapter 6: Lab A: Securing Layer 2 Switches....................................................................................................................................................140 Part 1. Basic Device Configuration.....................................................................................................................................................................142 Part 2. SSH Configuration ..................................................................................................................................................................................143 Part 3. Secure Trunks and Access Ports...........................................................................................................................................................147 Part 4. Configure SPAN and Monitor Traffic......................................................................................................................................................157 Chapter 7: Lab A: Exploring Encryption Methods.............................................................................................................................................169 Part 1. (Optional) Build the Network and Configure the PCs............................................................................................................................170 Part 2. Decipher a Pre-encrypted Message Using the Vigenere Cipher..........................................................................................................170 Part 3. Create a Vigenere Cipher Encrypted Message and Decrypt It.............................................................................................................172 Part 4. Use Steganography to Embed a Secret Message in a Graphic............................................................................................................174 Chapter 8: Lab A: Configuring a Site-to-Site VPN Using Cisco IOS and SDM...............................................................................................177 Part 1. Basic Router Configuration.....................................................................................................................................................................179 Part 2. Configure a Site-to-Site VPN with Cisco IOS.........................................................................................................................................181 Part 3. Configure a Site-to-Site IPsec VPN with SDM.......................................................................................................................................191 Chapter 8: Lab B: Configuring a Remote Access VPN Server and Client......................................................................................................206 Part 1. Basic Router Configuration.....................................................................................................................................................................208 Part 2. Configuring a Remote Access VPN .......................................................................................................................................................210 Chapter 8: Lab C (Optional): Configuring a Remote Access VPN Server and Client ...................................................................................232 Part 1. Basic Router Configuration.....................................................................................................................................................................234 Part 2. Configuring a Remote Access VPN .......................................................................................................................................................236 Chapter 9: Lab A: Security Policy Development and Implementation............................................................................................................255 Part 1. Create a Security Policy..........................................................................................................................................................................258 Part 2. Basic Network Device Configuration (Chapters 2 and 6)......................................................................................................................263 Part 3. Secure Network Routers.........................................................................................................................................................................264 Part 4. Secure Network Switches (Chapter 6)...................................................................................................................................................279 Part 5. Configuring VPN Remote Access...........................................................................................................................................................284 iv About This Lab Manual The only authorized Lab Manual for the Cisco Networking Academy CCNA Security course The Cisco® Networking Academy® course on CCNA® Security provides a next step for students who want to expand their CCNA-level skill set to prepare for a career in network security. The CCNA Security course also prepares students for the Implementing Cisco IOS® Network Security (IINS) certification exam (640-553), which leads to the CCNA Security certification. The CCNA Security Lab Manual provides you with all 11 labs from the course designed as hands-on practice to master the knowledge and skills needed to prepare for entry-level security specialist careers. All the hands-on labs in the course can be completed on actual physical equipment or in conjunction with the NDG NETLAB+® solution. For current information on labs compatible with NETLAB+® go to http://www.netdevgroup.com/ae/labs.htm. Through procedural, skills integration challenges, troubleshooting, and model building labs, this CCNA Security course aims to develop your in-depth understanding of network security principles as well as the tools and configurations used. Command Syntax Conventions The conventions used to present command syntax in this book are the same conventions used in the IOS Command Reference. The Command Reference describes these conventions as follows: • Boldface indicates commands and keywords that are entered literally as shown. In actual configuration examples and output (not general command syntax), boldface indicates commands that are manually input by the user (such as a show command). • Italic indicates arguments for which you supply actual values. • Vertical bars (|) separate alternative, mutually exclusive elements. • Square brackets ([ ]) indicate an optional element. • Braces ({ }) indicate a required choice. • Braces within brackets ([{ }]) indicate a required choice within an optional element. v ... - tailieumienphi.vn