In this course, you'll focus on the necessity of a comprehensive security policy and how it affects the posture of the network. You will learn to perform basic tasks to secure a small branch type office network using Cisco IOS security features available through web-based GUIs (Cisco Router and Security Device Manager [SDM]) and the command-line interface (CLI) on the Cisco routers and switches.
Labs
We have enhanced our IINS labs beyond what you'll find in the standard IINS labs. Instead of using the same equipment and topology that is used for the ICND courses, as standard Cisco IINS labs do, our IINS labs use the same equipment and topology that is used for the CCSP family of classes. Every pod has two 2811 routers, one 1841 router, one 3560 switch, and a VMware server with 10 Virtual Machines (VMs.) Our topology is designed to replicate what is commonly found in small- to mid-sized business environments, with meaningful, realistic scenarios.
Lab 1: Exclusive - Network Address Translation
The network equipment starts in a generally configured state. Routing works within the internal network and within the external network. However, the internal network uses RFC 1918 private address space, which is not routable in the external network. Therefore, Network Address Translation (NAT) must be configured at the perimeter to allow connectivity from the internal network to the external network.
- Configure NAT
- Test and Verify NAT
- Verify the Configurations
Lab 2: Ethical Hacking
There is now IP connectivity throughout the network, but no security features have been enabled. In this lab you will see that without proper configuration of security features, the network can be compromised in many ways using freely available tools. The attacks demonstrated in this lab will be mitigated in later IINS labs.
- Use Nmap to Scan the Network
- Exclusive - Perform Vulnerability Analysis with Nessus
- Exclusive - Execute a Buffer Overflow Attack with Metasploit
- Exclusive - Perform a Port Forwarding Attack with Fpipe
- Exclusive - Launch a SYN Flood Attack with Hping
- Exclusive - Simulate Worm Propagation
- Exclusive - Perform an ARP Cache Poisoning Attack with Cain
Lab 3: Securing IOS Administrative Access
Protecting access to the IOS command line is a basic security requirement. In this lab, you will implement line passwords and enable passwords and secrets. You will also use the service password encryption. To provide a reality check on password security, password-cracking attacks are demonstrated. You will also be introduced to the authorization mechanism of privilege levels.
- Set Passwords on the Physical Lines
- Configure Enable and Enable Secret Passwords
- Set VTY Line Passwords
- Use Service Password Encryption
- Exclusive - How Secure are Encrypted Passwords?
- Exclusive - How Secure are Hashed Passwords?
- Password Min-Length
- Line Timeouts
- Exclusive - Privilege Levels
- Configure Banner Messages
- Verify the IOS-FW Configuration
Lab 4: Exclusive - Preparing Cisco SDM
SDM is a web-based Graphical User Interface for the configuration of routing and security features on IOS routers. Since it's web-based, it can be accessed via HTTP and HTTPS. From a security perspective, HTTPS is preferred. Using HTTPS will prevent the login credentials from passing the network in clear text. HTTPS requires an SSL identity certificate to reside on the HTTPS server (the IOS router in this case). This lab will demonstrate how to maintain public/private key pairs and self-signed digital certificates on IOS routers to make the use of HTTPS more manageable.
- Prepare the Admin PC for SDM
- Prepare the IOS-FW for SDM
- Install SDM on the Admin PC
- Launch SDM
- Manage IOS-FW Keys and Certificates
- Launch SDM again
- Verify Router Configuration
Lab 5: Configuring IOS AAA with the Local Database
In this lab, you will examine Authentication, Authorization, and Accounting (AAA) features using the local database. Users will be defined in the local database for authentication. They will be linked to privilege levels defined in the previous lab for authorization. Also, role-based CLI will be introduced where command sets can be assigned to groups of users. Interaction between SDM and role-based CLI will also be demonstrated.
- Enable AAA
- Test AAA
- Define and Test other Usernames
- Configure Role-Based CLI
- Exclusive - Role-Based CLI and AAA Authorization
- Exclusive - SDM's Built-In Roles
- Enhanced Login Features
- Verify the Router Configuration
Lab 6: Configuring IOS AAA with ACS
In this lab, you will examine AAA concepts using Cisco Secure Access Control Server (ACS) as an AAA server. Our version of this lab goes a step further than standard Cisco labs in most aspects. For example, instead of simply linking ACS to the Windows database for authentication, you will integrate with Active Directory and perform group matching for authorization. Instead of simply authorizing for privilege level, you will perform command authorization using command authorization sets. Instead of simply accounting for login/logout, you will perform command-level accounting. You will also test what happens in the event of an AAA server failure.
- Connect to ACS
- Set Up IOS-FW to ACS Communication
- Define a New Group and User in ACS
- Configure ACS-Based Authentication and Authorization
- Test ACS-Based Authentication and Authorization
- Configure ACS and Active Directory Integration
- Exclusive - Test the Fallback Method
- Exclusive - Command Authorization Sets
- AAA Accounting
- Verify the Router Configuration
Lab 7: IOS Secure Management and Reporting
In this lab, you will configure some management and reporting functions on the router, and you will configure various other security features. You will configure SSH to provide secure connections to the CLI. You will configure authenticated NTP to keep the router's clock in sync. You will configure Syslog, which can report on various security events to a Syslog server. You will also configure Unicast Reverse Path Forwarding checks to limit IP spoofing and Route Authentication to mitigate route table poisoning by attackers.
- Configure SSH Server
- Configure NTP on the IOS-FW and Perimeter Router
- Configure Syslog on the IOS-FW
- Configure Syslog on the Perimeter Router
- Exclusive - Configure Unicast-RPF Verification
- Exclusive - Configure Route Authentication
- Verify the Router Configuration
Lab 8: Securing IOS Router Services
SDM offers a security audit which can help identify potential security issues with the router's configuration. For the problems it identifies, it can also propose solutions. In this lab, you will run an SDM security audit, analyze the results, and carefully choose which issues you would like to have it correct for you.
- Run a Mock Security Audit
- Run a Real Security Audit
- Perform Configuration Adjustments
- Verify the Router Configuration
Lab 9: Packet Filtering Using ACLs
Packet filtering is not as powerful as stateful inspection, but it has its place. In this lab, you will configure packet filtering on the Perimeter Router. This will allow the Perimeter Router to take care of the "easy stuff", leaving the more difficult to defend against issues for the IOS-FW. To illustrate the limitations of packet filtering, you will demonstrate the attack known as an ACK scan, and you will manipulate TCP ports used by applications to gain access to internal systems.
- Limit VTY Access
- Filter Bogon Packets, Allow Outbound Connections
- Exclusive - Understand Packet Filter Limitations
- Allow Expected Traffic to the DMZ Server
- Allow Other Services from the Inside
- Test ACL Policy
- Exclusive - Insert Lines into an Existing ACL
- Verify Router Configuration
Lab 10: IOS Zone-Based Firewall
Zone-Based Firewall (ZBF) is a new paradigm for configuring stateful inspection on IOS Firewalls. Instead of applying ACLs to interfaces, interfaces are assigned to zones, and inter-zone policies are defined. Unless traffic is explicitly permitted between zones, it will be denied. In this lab, you will use ZBF to implement stateful inspection on the IOS-FW. You will demonstrate that the vulnerabilities left by the packet filters on the Perimeter Router are now mitigated. You will also configure and demonstrate protection against SYN flood attacks.
- Basic Firewall Wizard
- Exclusive - Implement the DMZ Inbound
- Exclusive - Implement the DMZ Outbound
- Exclusive - Allow Perimeter Router Management
- Exclusive - Demonstrate Attack Mitigation
- Verify the Router Configuration
Lab 11: Site-to-Site VPN: Traditional IPsec
In this lab, you will configure a Site-to-Site VPN connection between the main site and the Site1 network. You will use SDM's Site-to-Site VPN wizard to accomplish the configuration. Before you can use the wizard, some prep must be completed on the Perimeter Router and the IOS Firewall to allow the tunnel to properly establish. One such task is the removal of the Zone-Based Firewall, which is not compatible with traditional IPsec VPN. This incompatibility is the motivation behind the next lab, which you'll find only at Global Knowledge.
- Verify No Tunnel/No Connectivity
- Exclusive - Prepare the Perimeter Router for the Tunnel
- Prepare the IOS-FW for the Tunnel
- Use the Site to Site VPN Wizard
- Verify VPN Status
- Verify the Router Configuration
Lab 12: Exclusive - Site-to-Site VPN: GRE and IPsec
As mentioned in the previous lab, traditional IPsec VPN is not compatible with ZBF. That is because the outside interface is used for both untrusted Internet traffic and trusted VPN traffic. Hence, it can't properly be put in a single zone. Using GRE with IPsec provides a solution. With GRE, a virtual tunnel interface is defined. This virtual interface can be put in a separate VPN zone, so policy is easily enforced appropriately for Internet traffic vs. VPN traffic.
- Prepare the Perimeter Router for the Tunnel
- Use the VPN Wizard
- Review the Updated Firewall Policy
- Generate, Update and Apply the Mirror Configuration
- Troubleshoot the Tunnel
- Verify the Router Configuration
Lab 13: IOS Intrusion Prevention System
Much of the same technology that is in place in Cisco's 4200 Series IPS sensors has been ported to IOS so it's available in integrated services routers (ISRs) with the Advanced Security image. This lab provides an overview of IOS IPS functionality. You will enable IOS IPS and demonstrate its function. You will also delve deeper to examine signature definitions. You will use the application IPS Manager Express (which Cisco provides for free for small-scale IPS installations) to monitor IPS events. And you will work with advanced IOS IPS features such as event action overrides and event filters.
- IOS IPS Wizard
- Exclusive - Deobfuscation
- Signature Definitions
- Exclusive - IPS Manager Express
- Signature Actions
- Exclusive - Event Action Overrides
- Exclusive - Event Action Filters
- Verify the Router Configuration
Lab 14: Layer 2 Security
If an attacker is connected to the same switching fabric as the victim, even if both are assigned to different VLANS, proper use of security features on the switch are required to protect the victim from the attacker. If the attacker is on the same subnet as the victim, regardless of physical switch topology, security features on the switch are required to protect the victim. This lab mixes some ethical hacking and security configuration. Attacks will be demonstrated, security features will be configured, and then the attacks will be attempted again to demonstrate that the attacks no longer succeed.
- Exclusive - Perform Port Based Attacks
- Configure Port Security
- Exclusive - Demonstrate Attack Mitigation
- Exclusive - Perform an ARP Cache Poisoning Attack
- Exclusive - Configure Private VLAN Edge
- Verify the Switch Configuration
