Lab 16
Cisco IOS Auto Secure
Lab Objective:
The objective of this lab exercise is for you to learn and understand how use the Auto Secure feature available in Cisco IOS software.
Lab Purpose:
The Cisco IOS Auto Secure feature simplifies the security configuration of a router and hardens the router configuration.
Lab Difficulty:
This lab has a difficulty rating of 5/10.
Readiness Assessment:
When you are ready for your certification exam, you should complete this lab in no more than 15 minutes.
Lab Topology:
Please use any single router to complete this lab:
Lab 16 Configuration Tasks
Task 1:
Configure the hostname on R1 as illustrated in the diagram.
Task 2:
Enable the Auto Secure feature on R1 and secure the router Management plane only. Configure parameters of your choice. The objective here is to familiarize you with this feature.
Task 3:
Configure R1 so that all passwords (i.e. enable password, enable secret, VTY, etc) entered on the router must be at least 8 characters in length. In addition to this, configure R1 so that only 2 unsuccessful login attempts are permitted, and if this threshold is exceed a log message should be generated and stored in the local router buffer.
Lab 16 Configuration and Verification
Task 1:
Router(config)#hostname R1
R1(config)#exit R1# |
Task 2:
R1#auto secure management
— AutoSecure Configuration —
*** AutoSecure configuration enhances the security of the router, but it will not make it absolutely resistant to all security attacks ***
AutoSecure will modify the configuration of your device. All configuration changes will be shown. For a detailed explanation of how the configuration changes enhance security and any possible side effects, please refer to Cisco.com for Autosecure documentation. At any prompt you may enter ‘?' for help. Use ctrl-c to abort this session at any prompt.
Gathering information about the router for AutoSecure
Is this router connected to internet? [no]: no
Securing Management plane services…
Disabling service finger Disabling service pad Disabling udp & tcp small servers Enabling service password encryption Enabling service tcp-keepalives-in Enabling service tcp-keepalives-out Disabling the cdp protocol
Disabling the bootp server Disabling the http server Disabling the finger service Disabling source routing Disabling gratuitous arp
Here is a sample Security Banner to be shown at every access to device. Modify it to suit your enterprise requirements.
Authorized Access only This system is the property of So-&-So-Enterprise. UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED. You must have explicit permission to access this device. All activities performed on this device are logged. Any violations of access policy will result in disciplinary action.
Enter the security banner {Put the banner between k and k, where k is any character}: # This is the CCNA Security Auto Secure Lab # Enable secret is either not configured or is the same as enable password Enter the new enable secret: ******** Confirm the enable secret : ******** Enter the new enable password: ******** Confirm the enable password: ******** Configuring AAA local authentication Configuring Console, Aux and VTY lines for local authentication, exec-timeout, and transport Securing device against Login Attacks Configure the following parameters
Blocking Period when Login Attack detected: 60
Maximum Login failures with the device: 2
Maximum time period for crossing the failed login attempts: 30
Configure SSH server? [yes]: no
Configuring interface specific AutoSecure services Disabling the following ip services on all interfaces:
no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply Disabling mop on Ethernet interfaces
This is the configuration generated:
no service finger no service pad no service udp-small-servers no service tcp-small-servers service password-encryption service tcp-keepalives-in service tcp-keepalives-out no cdp run no ip bootp server no ip http server no ip finger no ip source-route no ip gratuitous-arps no ip identd banner motd ^C This is the CCNA Security Auto Secure Lab ^C security passwords min-length 6 security authentication failure rate 10 log enable secret 5 $1$KqCV$PKI46q2v5RLX6tj19aaxE1 enable password 7 094F471A1A0A14110209 aaa new-model aaa authentication login local_auth local line con 0 login authentication local_auth exec-timeout 5 0 transport output telnet line aux 0 login authentication local_auth exec-timeout 10 0 transport output telnet line vty 0 4 login authentication local_auth transport input telnet login block-for 60 attempts 2 within 30 service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone logging facility local2 logging trap debugging service sequence-numbers logging console critical logging buffered interface FastEthernet0/0 no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply no mop enabled interface Serial0/0 no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply ! end
Apply this configuration to running-config? [yes]: yes
Applying the config generated to running-config
R1# |
Task 3:
R1(config)#security passwords min-length 8
R1(config)#security authentication failure rate 2 log R1(config)#exit R1# |
Lab 16 Configurations
R1 Configuration
R1#show running-config
Building configuration…
Current configuration : 3406 bytes ! version 12.4 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname R1 ! boot-start-marker boot-end-marker ! security authentication failure rate 2 log security passwords min-length 8 logging buffered 4096 logging console critical enable secret 5 $1$KqCV$PKI46q2v5RLX6tj19aaxE1 enable password 7 094F471A1A0A14110209 ! aaa new-model ! ! aaa authentication login local_auth local ! ! aaa session-id common no network-clock-participate slot 1 no network-clock-participate wic 0 no ip source-route no ip gratuitous-arps ip cef ! ! ! ! no ip bootp server login block-for 60 attempts 2 within 30 ! multilink bundle-name authenticated ! ! crypto pki trustpoint TP-self-signed-533650306 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-533650306 revocation-check none rsakeypair TP-self-signed-533650306 ! ! crypto pki certificate chain TP-self-signed-533650306 certificate self-signed 01 30820238 308201A1 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 35333336 35303330 36301E17 0D303230 33303130 31303335 315A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F 532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3533 33363530 33303630 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100 A10043E2 FB10C1D1 BA18F3AD 554F081C ACA14F4C EA48E0C1 4739653D B7759EE7 8EB29881 7F391723 E2BB7EC6 54EB6F25 B4E94520 DF8DA15C 3B9E6F7C 3AA57549 80AB643F A9427071 965DD56A 2D3E60CE 775F2ED5 C9014FCD F313F3EB B5189F62 09F461BC 32E3E78F F93C8B07 0740DDA8 7B880D1B A3185787 CE621B35 3511A9D5 02030100 01A36230 60300F06 03551D13 0101FF04 05300301 01FF300D 0603551D 11040630 04820252 31301F06 03551D23 04183016 8014CD63 D2C471B7 ABA4ACF9 C2B6020D 4A895471 C7F9301D 0603551D 0E041604 14CD63D2 C471B7AB A4ACF9C2 B6020D4A 895471C7 F9300D06 092A8648 86F70D01 01040500 03818100 6BE0FD98 BEC0DCDD AA6E3059 44434A63 DECC9224 22D81B23 35A29E70 74C17E92 14001495 9E01FEA1 373EB386 9A046E56 14910BC5 05671798 869B8753 96E711EA E51B8908 130D9B62 52F21D30 02B4C8AE FBB2919E 14815B80 E1C2FB39 97FEC0C2 190CAC10 DD5CB1E3 EE8724A7 9A256D79 11855629 06428889 E237A7B9 D2808A50 quit ! ! archive log config logging enable hidekeys ! ! ! ! ! ! ! interface FastEthernet0/0 no ip address no ip redirects no ip unreachables no ip proxy-arp duplex auto speed auto no mop enabled ! interface Serial0/0 ip address 10.1.1.1 255.255.255.252 no ip redirects no ip unreachables no ip proxy-arp ! ip forward-protocol nd ! ! no ip http server ip http secure-server ! ! logging trap debugging logging facility local2 no cdp run ! ! ! ! control-plane ! ! banner motd ^C This is the CCNA Security Auto Secure Lab ^C ! line con 0 exec-timeout 5 0 login authentication local_auth transport output telnet line aux 0 login authentication local_auth transport output telnet line vty 0 4 privilege level 15 password 7 094F471A1A0A login authentication local_auth transport input telnet ! ! end |