UW-P
Network Security
Configuring Routers
Reading:
Computer Security, Principles and Practices, W Stallings, L Brown
Chapter 9
Objectives:
The student shall be able to:
• Define and describe the advantage of ingress filtering, egress filtering, black hole filtering, direct broadcast filtering, unicast reverse path forwarding.
• Write CISCO commands to (for example):
• Prevent tcp packets with port numbers ranging between 135 to 139 into the network from or to any IP address and log any violations.
• Write two commands to establish a state-driven evaluation that allows only outgoing tcp connections to be established (2)
• Describe the main goals of programming a router.
• Save the active configuration to non-volatile memory
• Audit a router
Class Time:
Lecture 1 hour
Example ½ hour
Exercise 1 hour
Exercise 1 hour
Total: 3.5 hours
Accessing a Router
The router we cover in class is the CISCO router, since CISCO is the most common form of router deployed today. Router commands vary little between different types of routers.
Router Modes
Router modes include:
User mode: User can view information but cannot change anything.
Router>
Privileged mode: Supports modifications to routing tables, use of test and debug commands, and access to configuration modes.
To enter and exit Privileged mode, use commands enable and disable.
Router> enable
Router# disable
Global configuration mode: Used to enter one-line configuration (or routing) commands.
To enter Configuration mode, use commands configure and exit. At console, specify config terminal:
Router# config terminal
Router(config)#
Configuration mode has a number of submodes: interface, router, subinterface, controller, map-list, map-class, line.
Router(config)# interface ethernet 0
Router(config-if)# exit
Router(config)
Getting Help
Tab: Complete command for me
?: Show commands, options
Example:
Router# clock ?
set Set the time and date
Router# clock set ?
Current Time (hh : mm : ss)
Configuration Files
Two configuration files exist: RAM=running-config NVRAM=startup-config
Running-config: What the router uses.
Commands to the config file change this file. Beta test all configurations before storing to nonvolatile (NV) RAM: NVRAM.
Startup-config: The file the router uses after it boots.
Configuring a Router
Rules for routing are established using three techniques:
Standard ACL format: (Checks source IP addresses)
access-list [wildcard]
where = 1-99 or 1300-1999
Example: Checks that all outgoing packets from a subnet have valid IP source addresses:
access-list 2 permit 220.10.5.0 0.0.0.255
Example: Checks that all incoming packets from the network have a valid source IP address (do not have an address with a first byte of 10):
access-list 3 deny 10.0.0.0 0.255.255.255
Extended ACL format: (Checks source & destination IP & Port addresses)
access-list [wildcard] [src-port]
[wildcard] [dest-port] [other-options]
where = 100-199 or 2000-2699
Example: Do not allow any TCP packets with port numbers between 135-139 (with ‘any’ source or destination IP addresses):
access-list 101 deny tcp any any range 135 139 log
Example: Permit UDP packets to destination host 220.10.5.33 with destination port number 600:
access-list 102 permit udp any host 220.10.5.33 eq 600
Reflexive ACL format: (Only allow outgoing sessions in this service)
Uses a state table to track state of session. Uses more CPU and memory than other formats. Works only with services that use a single transport connection (e.g., not active FTP.) The following rule requests that the state be tracked for the indicated connections:
tcp [wildcard] [port] [wildcard] [port]
reflect
The following command indicates that reply sessions (not-initiated) only are allowed in this direction:
evaluate
Example: Only permit outgoing SSH sessions:
permit tcp any any eq 22 reflect ssh-filter
evaluate ssh-filter
Rules must be specified in a named access-list.
Named Access Lists:
An alternate way to specify rules is by grouping them into an access-list, and naming the access list:
ip access-list extended FilterOut
permit tcp any any eq 22 reflect ssh-filter
deny tcp any any range 0 1024
permit udp any any eq tftp
deny udp any any range 0 1024
!
ip access-list extended FilterIn
evaluate ssh-filter
The access-list is then associated with an interface:
interface FastEthernet 0/0
ip address 220.10.5.36 255.255.255.0
ip access-group FilterIn in
ip access-group FilterOut out
Note 1: Each interface has rules for its input and output:
FastEthernet 0/0 FastEthernet 0/1
in out
out in
Note 2: Rules are processed in order. Therefore, most common rules should be specified first for best performance.
Note 3: If an ICMP message is returned to the TCP SSH connect request, we won’t get it.
Static versus Reflexive:
Use static for absolutes: blocking private IP addresses, or specific protocols: SNMP, ping. Static is faster than Reflexives.
Use Reflexives when necessary: Outgoing connections only are allowed.
Interfaces
Interfaces are named according to their speeds:
Ethernet = 10bT
FastEthernet = 100bT
GBICethernet or GbEthernet = 1000bT
Serial = WAN CSU/DSU (with command: clockrate 56000)
0 or 1 = on fixed format routers this is interface 0 or 1
0/0 = On Modular routers (which ours are) this is the first port on the
first card of the router...
0/1 = Second port first card
1/0 = second card first port
so on some routers you can have the following interfaces:
Ethernet 0
FastEthernet 0/0
FastEthernet 0/1
FastEthernet 0/2
FastEthernet 0/3
GBICethernet 0/0
GBICEthernet 1/0
Table of CISCO Keywords in Routing Commands
|Keyword |Meaning |Special Notes |
|access-list |Privileged mode: Establish a rule |Example: |
| |Format for 1-99, 1300-1999: |access-list 3 deny any log |
| |access-list |access-list 101 deny tcp any any range 135 139|
| |Format for 100-199, 2000-2699: |log |
| |See above. | |
|any |Any IP address is accepted |Value = 255.255.255.255 |
|banner |Privileged mode: |Example: |
| |Sets the default banner upon login |banner # |
| | |Access restricted to UWP system administrators|
| | |# |
|deny |ACL Command mode: Deny these packets |Example: |
| | |deny icmp any host 24.33.22.1 |
|description |Interface Command mode: |Description Engineering LAN |
| |Assign a description to an interface | |
|eq |Equal: Match a port address |Example: |
| | |deny tcp any any eq telnet |
|established |Check to make sure SYN bit is not on. |Example: |
| |Use reflexive rules instead. |access-list 100 permit tcp any any established|
|evaluate |ACL Command mode: Check a reflexive rule. Ensure |Format: |
| |connection is active before accepting packets. Reflexive |evaluate |
| |rule is created with ‘reflect’ keyword. | |
|host |Check all bits: expect an exact match for IP address |Value = 0.0.0.0 |
| | |Example: |
| | |deny icmp any host 24.33.22.1 |
|hostname |Config mode: | |
| |Changes name of router, and default prompt. | |
|interface |Privileged mode, sets Config mode |Example: |
| |Define an interface. Can include a set of commands ending|interface FastEthernet 0/0 |
| |with a |ip access-group 135 in |
| |! |! |
|ip access-list |Privileged mode: |Example: |
| |Establish a set of rules as an access-list |ip access-list extended filtrout |
| | |permit tcp any any |
|ip access-group |Privileged mode: |Example: |
| |Match a rule or access list to a router port. |interface Ethernet0 |
| | |ip access-group 135 in |
| | |! |
| | |This applies rule 135 to inward-bound packets |
| | |for the Ethernet0 interface |
|ip address |Config mode: |Example: |
| |Assign an IP address to an interface. |ip address 129.33.22.44 |
| |Placed within interface ! command | |
|line |Privileged mode, sets Line mode: Enter permitted methods |Example: |
| |to access router: |line vty 0 4 |
| |Aux, con, vty, … | |
| |See more extensive documentation for details | |
|log |Log any matches to this rule |Example: |
|log-input |Log-input: Also record layer 2 address |deny tcp any any eq 1024 log |
|no ip |Privileged mode (usually): Disallow options: |Example: |
| |directed-broadcast |no ip directed-broadcast |
| |source-route |no ip source-route |
| |finger |no ip finger |
| | | |
|permit |ACL command mode: Allow these packets |Example: |
| | |permit tcp any any eq 65 |
| | | |
| | | |
|range |Match a port address to a range |Example: |
| | |range 135 139 |
|reflect |ACL command mode: Specify a reflexive rule: |permit reflect |
| |Save the state of the session relating to this protocol, | |
| |source and dest IP address. | |
| |Check state when evaluate command specified | |
|Remark |ACL command mode: Comment |remark This is a comment |
|show running-config |Privileged Mode: | |
| |Show the currently active configuration file. | |
|show startup-config |Privileged Mode: Show the configuration file that will | |
| |become active next time the router reboots. | |
|shutdown |Interface config mode: | |
|no shutdown |Turns an interface off and back on. | |
|tcp |Specific protocol name matches |Example: |
|udp | |permit tcp … |
|icmp-echo | |permit icmp … |
|telnet | | |
|ftp | | |
|ftp-data | | |
Routing Safeguards
Convergence: Quick network routing convergence results in a short disruption following an attack
Ingress Filtering: Filter packets coming from Internet into the zoned network
• Protect against flooding, malicious activity from network
• Filter IP addresses: 0.0.0.0/8, 127.0.0.0/8, 192.0.2.0/24, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16, 224.0.0.0/4
• Further addresses listed at:
Egress Filtering: Filter packets leaving internal network or zone towards internet
• Prevents spoof or other attacks from affecting other networks
Rules:
• Default Permit: “That which is not expressly forbidden is permitted”
• Default Deny: “That which is not expressly permitted is forbidden”
Which would be used for Ingress Filtering, Egress Filtering?
Black Hole Filtering: Create routes to the null interface (null0) for specific IP addresses
• Avoid looping: We forward all 128.n.n.n to you – but you don’t have 128.37.64.25 and forward it back to us.
Net Police Filter: Prevents routes larger than 20 or 24 bit masking
• Ensures routing table does not get too big, thereby slowing routing down
Direct Broadcast Filtering
• Disable broadcast destination IP addresses
no ip direct-broadcast
• Smurf attack: Send SYN to broadcast address – all reply with SYN/ACK to origination IP address
Unicast Reverse Path Forwarding
• Prevent Forgery/Spoofing: Block packets from outside with source IP Addresses = inside
• Source addresses can be verified against the routing table, by checking the IP address range from whence the packet arrived
access-list 110 deny ip any any log-input
ip cef #Enable Cicso Express Forwarding
interface Ethernet 0
ip verify unicast reverse-path 110
If Routing configured well, turn off:
• ICMP Redirects: “Don’t send to me – I’ll send it back to you anyway”
no ip redirects
• Source Routing: Source endpoint dictates packet’s route
no ip source-route
Additional security tips recommended for routing protocols: Border Gateway Protocol (BGP), Open Shortest Path First (OSPF), in Network Security Principles & Practices
Router / Switch / Firewall Security:
• The routers’ configuration in NVRAM must be backed up
• Copy router configurations regularly or after config change
• Access to the router should be limited
• Allow only tty & SSH/IPsec (best)
• Use good authentication: MD5 – HMAC standard instead of cleartext password
• Disable unused services: telnet, SNMP, web, if not used
• Use Network Time Protocol (NTP) to synchronize logs across the network
• Login banner should state that unauthorized access to the system is prohibited. Check with legal council for best protection
• Capturing core dumps may be useful for finding crash causes
Advanced CISCO Router Features
Authentication Proxy: Users authenticate with Router or firewall before accessing inner network, using RADIUS or TACACS+. Similar service: lock-and-key ACLs.
Content-Based Access Control (CBAC): Protects the application layer header for some applications from some attacks. Includes (among other things):
• Uses ‘ip inspect …’ command
• SMTP: Validates for a pre-defined set of email commands
• TCP: Eliminates sequence numbers which are out-of-range.
• Close half-open sessions which are not completing in a timely manner (SYN or FIN)
• Close non-active sessions
• Java Applets: Filter applets from untrusted sites.
• RPC: Filter specific applications
• Fragments: Discard fragments received before initial fragment or incomplete packets held until timeout
• Web: With Websense, N2H2, filters specific URLs or categories of URLs
• ICMP: Filters pre-defined ICMP messages.
Router Audit Tools
Validation: Does the router implement the established policies?
• Establish tests to determine that router does allow/deny IP addresses, port numbers, etc.
RAT: Router Audit Tool
• RAT includes a set of tools to validate the router against best-practices
• Center for Information Security (CIS) web site:
• Includes management (router access), control (logging, NTP), and data (filtering) checks.
• Two levels:
• Level 1: Basic security applicable to all configurations
• Level 2: Specific security settings for optional features
• Steps include:
• Complete a configuration form to create a rules file, using ncat_config program
• Read the router configuration from a file or remotely, then compare to the rules file, using the ncat program, producing a CSV report
• Produce the HTML report from the CSV file using ncat_report.
• Includes useful documentation:
• Cicso-ios-router-questionnaire.pdf: Audit checklist
• Cisco-ios-router-benchmark.pdf: Describes the use of the tool
• Rscg.pdf: NSA Router Security Configuration Guide: Explanations on security configurations.
Audit Questions:
• Are filter rules unique (not redundant?)
• Do filter rules adhere to policy?
• Do filter rules adhere to best practice?
• Are filter rules optimized for throughput?
• Do filter rules work as specified in each direction?
Lab Exercise: Getting to Know Routers
Configuration
The configuration with the routers is that each router has 2 ports: one to the wall (to the network) and one to a mini-switch. The two computers per row connect in to the mini-switch. Each router has an IP address of 10.n.1.1.
Router RJ45 ports:
• FE 0/1: top left: red cable to mini-switch
• FE 0/0: bottom left: red cable to wall or network
• Console: top right: blue cable to the back of one computer – COM port
• Aux: not used
Look over the configuration, to see how it works.
Boot up and login to the security terminal. To connect to the Router, we will use the blue cable COM port and the PuTTY program. PuTTY should be on your desktop. If not, download it from , and save putty.exe to the desktop.
Connecting
To connect to the router, run PuTTY from the desktop. Select the serial interface, which correctly defaults to COM1 9600 bps. Select open. Press enter to initiate communication.
Connect to the router as follows. This will put you in Privileged Mode:
Username: CSpriv
Password: CSisGood
A # prompt indicates you are in Privileged Mode, while a > indicates you are in the less powerful User Mode. To exit Privileged Mode and enter User Mode, enter disable:
# disable
User Mode
User Mode is a subset of Privileged Mode. We first review User Mode capabilities. Use the ? command to ask which commands are available in the mode you are in. Try it.
> ?
The show command allows you to see a lot of information about the router. Commands include: show version, show processes, show protocols, show memory, show stacks, show buffers, show flash, show running-config.
Q. Run the following commands and describe what you have learned about the router.
> show version
> show protocol
Remember, this router has two connections to a host and the network. You will see both IP addresses for your router. The /24 shows that the router assumes a submit of 8 bits (for those with a data communications class.)
The show interfaces command shows statistics for each interface.
> show interfaces
Q. What types of (non-error) statistics are shown for each interface?
Q. What types of errors are reported for each interface?
Q. Fill in the following information for your router from what you have learned:
Router Hardware Platform: Router Software Version:
Router Capabilities:
CDP
The CISCO Discovery Protocol (CDP) is a protocol used between routers to help system administrators track the status of their routers.
The show CDP commands show the status of each line and statistics on the CDP protocol. CDP is enabled or disabled using the command (but leave it enabled):
Router(config)# cdp run Router(config)# no cdp run
The sending time is used as a heartbeat; CDP packets are sent to notify others that this router is up and alive. Each neighbor is monitoring for the duration of a Hold or wait time. In the commands below, watch the Hold time decrement until the next CDP packet is received.
Q. For each command below, discuss the output that you see.
> show cdp interface
> show cdp neighbors
> show cdp entry *
Q. What other nodes does the router interface with?
Node IP address Type Router Interface
Q. Fill in the following information for your router from what you have learned:
Frequency of CDP updates: Duration of aging CDP entries:
Privileged Mode
To perform commands, we must first enter Privileged Mode (showing prompts):
Router> enable
Password: (as before)
Router#
We can also go back down to User Mode, via a disable:
Router# disable
Router >
To do the commands below you must be in Privileged Mode.
To see the available commands in Privileged Mode, enter a ?
# ?
To view the entire configuration, do:
# show running-config
Then answer the following questions:
Q. From which specific IP addresses are packets denied access?
Q. From which TCP port addresses are packets specifically denied?
Using Test Commands
The ping command determines connectivity to other nodes:
# ping ip-address
# ping ip-address
Here you are pinging from the router to other nodes (such as your computer or 10.1.1.1).
Q. Were you able to receive responses from both? What happened?
The trace command shows the set of routers that are traversed in sending packets to a specified destination (e.g., 131.210.201.23)
# trace
Q. What results did you see?
Q. Can you telnet into another router? Ask your neighbor for their IP address. To disconnect type ‘quit’
# telnet
Analysis:
Q. What information can a hacker take advantage of from the commands that you have executed?
Q. From privileged mode, use the ‘disable’ command to enter User Mode. What can a hacker learn in User Mode? How can they use this information? (Hint: Perform a ? in User Mode to learn the commonly used commands available in this mode.) How can you prevent a hacker from accessing a router?
Q. What damage can a hacker do if they enter Privileged Mode? (Hint: A ? command works here too.)
Q. Look at the routing configuration. Assuming web page accesses are the most common packet type, is the filter minimal, efficient, and secure? Why or why not?
Router Lab Exercise: Auditing Routers
Configure one of your PCs within the subnet and one PC as directly connected to the main router. Start up (or restart up) VMware after the physical connections are established. On both PCs:
Turn off the firewall
Start up Ethereal
Capture-> Interfaces
Clear all Name Resolution boxes
Capture Filter: ip.src==10.n.1.128 || ip.dst==10.n.1.128
If you store to a buffer you can save more data. If you display data, you can see that the nmap is working correctly – so perhaps on the receive end, store to the buffer, and on the send end, display the packets.
Next try each of the following tests on both PCs, to see what the router does and does not permit. Find the appropriate ACL in the router table that permits or denies this operation.
1) Ping from both sides to each other.
2) From each direction, use nmap to scan one IP address. Test packets which are allowed to enter and leave the subnet. Start nmap specifying the specific set of ports (-p), requesting the SYN exchange (-sS), to not stop if ping doesn’t work (-P0), in verbose mode (-v), with packets every .4 seconds (-T polite). Scan 1024 ports (but in a real audit you would want to scan for 65535):
> nmap -v –sS –P0 –p 0-1024 -T polite
3) Telnet into router 10.n.1.1 from inside; telnet into router 10.1.1.2n from outside.
6) Run icon SSH Secure Shell Client from PC in router subnet
Quick Connect
Host Name:
User Name: Student
Password: badpass
7) Use the ‘show logging’ command to see any packets that were logged.
Router Lab Exercise: Reading a Router Configuration
To perform commands, we must first enter Privileged Mode (showing prompts):
Router> enable
Password:
Router#
To view the entire configuration, do:
# show running-config
Analyze the configuration and answer the questions below.
1) What applications are allowed to enter into the subnet? Hint: If you see port number(s) you can’t translate, search on-line to determine what application it/they are.
2) What applications are allowed to leave the subnet?
3) How can the current configuration be made more secure and/or more efficient? Hint: Look through notes to see which IP addresses should be further disallowed. Which ports remain open that shouldn’t?
Lab Exercise: Configuring Routers
The startup config is the permanent configuration file that will become active if the router reboots. The active config is the currently running configuration file. Execute both.
# show startup-config
# show running-config
Policy: Incoming tcp/udp connections are allowed for the following applications: web (port 80), SSL secure web (port 443), and email (port 25). Outgoing tcp/udp connections are allowed for the same services, but in addition, DNS (port 53) and ssh (port 22). ICMP error messages (such as IP address not available) are allowed in both directions (not including redirects, pings, or Time-To-Live expired).
Configure a router to:
Restrict incoming TCP applications using reflective access, if possible. First look at each application to see what port numbers are required. Then determine the rules that will best implement the proposed policy. After updating RAM (the active configuration file) test the outgoing sessions to make sure that these applications work and others do not (such as telnet). Test the incoming sessions to make sure each is rejected. Use nmap and actual applications (when possible) to verify that the ports are open or closed.
Additional incoming IP addresses to be restricted include the addresses listed at: . /Documents/bogon-dd.html.
Configure one of your PCs within the subnet and one PC as directly connected to the main router. Then test connections into and out of the router.
Lab 1: Initializing a Router
[pic]
The configuration we will set up is as follows:
Your Router IP Address (Ethernet 0/0):
Your Subnet Address (Ethernet 0/1):
Your Router Location Name:
At Linux, to talk to the router enter the following command:
$ screen /dev/ttyS0
Power up the router. (If restart required, do unix command: ‘killall -9 screen’.)
Setup Instructions
Running Setup
Router> enable
Password: cisco
Router# show startup-config
Router# erase startup-config
Router# reload
Router> enable
Assign IP Addresses
Router# config terminal
Router(config)# interface FastEthernet 0/0
Router(config-if)# ip address 10.1.1.2n 255.255.255.0
Router(config-if)# description Security Lab Router # //2
Router(config-if)# no ip directed-broadcast
Router(config-if)# no ip proxy-arp
Router(config-if)# no ip redirect
Router(config-if)# no shutdown
Router(config-if)# exit
Router(config)# interface FastEthernet 0/1
Router(config-if)# ip address 10.n.1.1 255.255.255.0
Router(config-if)# no ip directed-broadcast
Router(config-if)# no ip proxy-arp
Router(config-if)# no ip redirect
Router(config-if)# no shutdown
Router(config-if)# exit
Naming Systems
In config mode:
Router(config)# hostname Hawaii # Pick your favorite vacation destination
Hawaii(config)# banner #
Use of this router is restricted to coursework within the University
Wisconsin Parkside Computer Science Department.
Authorized personnel only.
#
Define the routing protocol.
Hawaii(config)# router rip
Hawaii(config-router)# version 2
Identify the two networks we want to distribute on
Hawaii(config-router)# network 10.n.1.0
Hawaii(config-router)# network 10.1.1.0
Hawaii(config-router)# exit
Hawaii(config)# exit
Test that the basic interface now
Hawaii# ping 10.1.1.1
Hawaii# ping 131.210.1.15
Removing access to various applications: finger, snmp, outdated applications, etc.
Hawaii# config term
Hawaii(config)# no ip finger # or no service finger
Hawaii(config)# no service tcp-small-servers # outdated tcp/udp services
Hawaii(config)# no service udp-small-servers
Hawaii(config)# service tcp-keepalives-in # discard timedout TCP sessions
Hawaii(config)# no service config # does not request config file via TFTP
Hawaii(config)# no ip source-route
Hawaii(config)# no ip identd # similar function to finger
Establishing Routing Table
The first line defines a static and default entry.
Hawaii(config)# ip route 0.0.0.0 0.0.0.0 10.1.1.1
For authentication use type 5 authentication (which is stronger than type 7) and ensure that passwords are not displayed in cleartext
Hawaii(config)# service password-encryption
Hawaii(config)# security passwords min-length 6
Hawaii(config)# security authentication failure rate 5 log
Hawaii(config)# username CSpriv privilege 15 CSisGood
Hawaii(config)# enable secret CSisGood # Set password for privilege mode
Establish that login/ password is required for the console terminal
Hawaii(config)# line console 0
Hawaii(config-line)# login local
Hawaii(config-line)# exec-timeout 0 0
Hawaii(config-line)# exit
(Virtual terminals) telnet & SSH can login from local subnet, timeout in 10 minutes
Hawaii(config)# access-list 10 permit 10..1.0 0.0.0.255 # local terminal
Hawaii(config)# line vty 0 15
Hawaii(config-line)# access-class 10 in
Hawaii(config-line)# privilege level 15
Hawaii(config-line)# login local
Hawaii(config-line)# transport input telnet ssh # Telnet not recommended
Hawaii(config-line)# exec-timeout 10 0
Hawaii(config-line)# exit
Establish Network Time Protocol (NTP)
Hawaii(config)# ntp server 10.1.1.1
Hawaii(config)# clock timezone Chicago –6
Hawaii(config)# clock summer-time Chicago date Apr 6 2003 2:00 Oct 26 2003
2:00
Establish logging
Hawaii(config)# logging on
Hawaii(config)# service timestamps debug datetime msec localtime
show-timezone
Hawaii(config)# service timestamps log datetime msec localtime show-timezone
Hawaii(config)# logging console critical
Hawaii(config)# logging trap notifications
Establish ACLs: Permit sessions initiated from the inside
Hawaii(config)# ip access-list extended FilterIn
Hawaii(config-ext-nacl)# evaluate tcp-filter
Hawaii(config-ext-nacl)# evaluate udp-filter
Hawaii(config-ext-nacl)# evaluate icmp-filter
Hawaii(config-ext-nacl)# remark Create ACLs for remote world into router –
limit source IP addresses
Hawaii(config-ext-nacl)# deny ip 172.16.0.0 0.15.255.255 any
Hawaii(config-ext-nacl)# deny ip 192.168.0.0 0.0.255.255 any
Hawaii(config-ext-nacl)# deny ip 0.0.0.0 0.255.255.255 any log
Hawaii(config-ext-nacl)# deny ip 169.254.0.0 0.0.255.255 any log
Hawaii(config-ext-nacl)# deny ip 192.0.2.0 0.0.0.255 any log
Hawaii(config-ext-nacl)# deny ip 224.0.0.0 31.255.255.255 any log
Hawaii(config-ext-nacl)# deny ip 127.0.0.0 0.255.255.255 any log
Hawaii(config-ext-nacl)# deny ip 1.0.0.0 0.255.255.255 any log
Hawaii(config-ext-nacl)# deny ip 2.0.0.0 0.255.255.255 any log
Hawaii(config-ext-nacl)# remark Deny the following applications: MS-NetBIOS,
Xwindows, SYSLOG, SNMP, Host-redirect
Hawaii(config-ext-nacl)# deny tcp any any range 135 139
Hawaii(config-ext-nacl)# deny udp any any range 135 139
Hawaii(config-ext-nacl)# deny tcp any any eq 445
Hawaii(config-ext-nacl)# deny tcp any any range 6000 6255 log
Hawaii(config-ext-nacl)# deny udp any any eq 514 log
Hawaii(config-ext-nacl)# deny udp any any range 161 162 log
Hawaii(config-ext-nacl)# deny icmp any any host-redirect
Hawaii(config-ext-nacl)# deny icmp any any echo
Hawaii(config-ext-nacl)# remark Permit Mail and retain state
Hawaii(config-ext-nacl)# permit tcp 10.1.1.3 0.0.0.255 any eq 25 reflect
smtp-filter
Hawaii(config-ext-nacl)# deny ip any any # permit ip any any
Hawaii(config-ext-nacl)# exit
Hawaii(config)# ip access-list extended FilterOut
Hawaii(config-ext-nacl)# permit tcp 10.n.1.0 0.0.0.255 any reflect tcp-filter
Hawaii(config-ext-nacl)# permit udp 10.n.1.0 0.0.0.255 any reflect udp-filter
Hawaii(config-ext-nacl)# permit icmp 10.n.1.0 0.0.0.255 any reflect icmp-filter
Hawaii(config-ext-nacl)# evaluate smtp-filter
Hawaii(config-ext-nacl)# permit ip 10.n.1.0 0.0.0.255 any
Hawaii(config-ext-nacl)# deny ip any any log
Hawaii(config-ext-nacl)# exit
Apply the filters as input to router/subnet
Hawaii(config)# interface FastEthernet 0/0
Hawaii(config-if)# ip access-group FilterIn in
Hawaii(config-if)# ip access-group FilterOut out
Hawaii(config-if)# exit
Create an input filter from local subnet to accept only local source IP addresses
Hawaii(config)# interface FastEthernet 0/1
Hawaii(config-if)# exit
Configure DHCP for sessions for the local subnet. Start DHCP addresses with 10.2.1.128 and increment addresses to consume the lowest 8 bits. Provide the following information for each DHCP terminal: Domain name, DNS server, default router = me.
Hawaii(config)# ip dhcp excluded – address 10.n.1.1 10.n.1.127
Hawaii(config)# ip dhcp pool dhcp-ips
Hawaii(dhcp-config)# import all
Hawaii(dhcp-config)# network 10.n.1.0 255.255.255.0
Hawaii(dhcp-config)# domain-name cybersec.cs.uwp.edu
Hawaii(dhcp-config)# dns-server 10.1.1.3 131.210.1.15
Hawaii(dhcp-config)# default-router 10.n.1.1
Hawaii(dhcp-config)# exit
Copy Configuration File to remote host and to startup-config
Hawaii# copy running-config startup-config
Hawaii# copy running-config tftp
Remote host? 10.1.1.3
Name of config file? .conf
Write file? Y
Writing file !!!!! [ok]
Display results
All commands below work in Privileged Mode#. Some work in > mode.
Hawaii> show ip interface # shows configuration
Hawaii> show interfaces # if all ip same as above
Hawaii> show ip route # shows up lines
Hawaii> show clock detail
Hawaii> show access-lists
Hawaii# show configuration # show all
Hawaii> show hosts
Hawaii# show startup-config
Optional commands: do not implement:
Hawaii(config)# no ip http server # no access via http
Hawaii(config)# no ip bootp server # disable bootp and dhcp
Hawaii(config)# no cdp run # Cisco Discovery Protocol: maintenance
These default to off and should remain off particularly if not used
Hawaii(config)# no tftp-server # does not supply config-file remotely
Hawaii(config)# no snmp server … # format: no snmp
Creates a static route:
Hawaii(config)# ip route 10.n.1.0 255.255.255.0 FastEthernet 0/1
Deletes a specific access list (for reference, don’t do)
Hawaii(config)# no access list
Naming Systems
Hawaii(config)# ip host host-name ip-address
Hawaii# show hosts
Direct logging somewhere else (won’t log locally)
Hawaii(config)# logging 10.n.1.2
It is possible to access the router via or use the terminal interface
-----------------------
# configure
> enable
Configuration Mode
User Mode
Privileged Mode
# (config) exit
# disable
interface
router
…
RAM
configure terminal
console
or VTerm
show running config
erase startup-config
configure memory
NVRAM
copy running-config
startup-config
Bit bucket
copy tftp running-config
tftp server
copy tftp
startup-config
copy running-config tftp
Router
Subnet 10.2.1.n
Subnet 10.3.1.n
Router
Router
Main Router
To Internet
Switch
10.1.1.1
10.1.1.22
10.1.1.23
10.2.1.2
10.1.1.22
Subnet Router
Main Router
10.1.1.1
10.2.1.1
Rest of World
10.2.1.3
10.3.1.2
Subnet Router
10.1.1.23
Ethernet 0/0
10.3.1.1
Ethernet 0/1
10.3.1.3
................
................
In order to avoid copyright disputes, this page is only a partial summary.
To fulfill the demand for quickly locating and searching documents.
It is intelligent file search solution for home and business.
Related searches
- uw engineering areas of impact
- uw academic calendar 2018 19
- uw madison academic calendar 2019 20
- uw human resources
- uw hire
- uw madison graduation 2021
- uw academic calendar seattle
- uw madison winter break 2019
- when does uw madison start school
- uw academic calendar 2019 2020
- uw to dbm converter
- uw software product management certificate