In the previous article, we concluded our lab on Network Address Translation (NAT). So far we have gone through two CCP labs: ACLs and NAT. In this article, we will be moving on to our third lab, which has to do with Security Auditing. This will be an easy lab to perform because CCP provides a wizard for you to use. Let’s get on with it.

Our network diagram has evolved into what is shown below:

SecurityAudit04302014

The configuration tasks for our lab #3 are as follows:

  • * Perform a security audit for RTR1 and fix the issues. Fa0/0 should be your trusted interface while Fa0/1 is your untrusted interface. Use 10.0.0.1 as the logging server.
  • * Do NOT enable firewall rules or AAA settings on any interface.

Your entire configuration should be done through the Cisco Configuration Professional tool.

Configuration Configuration Solutions

Task 1

Cisco provides a very cool feature through the CCP tool that allows you to perform security audits on your devices. The security audit wizard checks the device’s configuration against a list of predefined recommended configurations and it is able to tell you where your configuration has issues.

Remember the AutoSecure feature on the Cisco IOS, which provides a way to lock down your network device using a set of defined security features? (The AutoSecure feature is implemented through the ‘”One-step lockdown’ wizard in CCP). Well, the Security Audit wizard is the flexible ‘”brother'” of the One-step lockdown. The difference between the One-step lockdown wizard and the Security audit wizard is that the former implements ALL the sets of defined security features without giving you any options; the Security Audit wizard on the other hand gives you the option of choosing what features to implement. Enough talk, let’s get to it.

I will select RTR1 as the community member and navigate to Configure > Security > Security Audit.

We will be performing the security audit but I will would like to show you the difference between the two wizards shown above, as stated by CCP; therefore, I will click on the One-step lockdown button.

As you can see from the warning dialog, One-step lockdown will lock down your router without giving you any options, although you have the choice to undo some of the settings at a later time. Let’s continue with our security audit. I’d click “No” on this warning dialog and then click on the “Perform security audit” button.

The first screen that is displayed gives me information about what the wizard will do. This wizard is very easy to use and most of the actions you will perform will be clicking the “Next” button.

The task told us to specify Fa0/0 as the trusted interface while Fa0/1 is the untrusted interface. This would have been more useful to us if we were applying firewall rules, but the second task tells us not to.

That’s a lot of red crosses, meaning that those features failed the checklist. Notice that you can save the report and open it at a later time or perhaps include it in a presentation to management. The saved report can be opened using a web browser. At this point, the “audit” is complete but we can go ahead and close this report so that we can fix some of the issues identified.

If I wanted to fix all the identified issues, I would have just clicked the Fix All button. However, in our case, we will not be fixing all issues; but I can still click that button and then uncheck the boxes for the problems I won’t be fixing. Whatever works best.

You can see from the above snapshot that I have unchecked the field to enable firewall rules and also AAA.

Due to some of the settings we want to fix, there will be more prompts for us to fill in details for, including enable secret and login banner.

I set my enable secret to “cisco” (a very bad choice) but I get an error dialog telling me that my password must be six characters or more.

This is one of the security features that will be enabled (minimum password length of six). I wonder what will happen to our less-than-six-characters passwords currently on our router (e.g., the “ccp” username). We will test this later.

The next screen that shows is the summary screen giving me details of what will be configured.

The configuration to be sent to the device is as follows:

access-list 1 remark HTTP Access-class list
access-list 1 remark CCP_ACL Category=1
access-list 1 permit 10.0.0.1 0.0.0.255
access-list 1 deny any
enable secret level 15 0 ********
line vty 0 4
 transport input telnet ssh
 exit
line con 0
 login local
 exec-timeout 10 0
 transport output telnet
 exit
line aux 0
 login local
 exec-timeout 10 0
 transport output telnet
 exit
logging 10.0.0.1
no service pad
service password-encryption
service tcp-keepalives-in
service tcp-keepalives-out
no ip bootp server
no ip source-route
service sequence-numbers
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
scheduler allocate 4000 1000
ip http access-class 1
ip tcp synwait-time 10
no cdp run
security authentication failure rate 3 log
security passwords min-length 6
ip ssh time-out 60
ip ssh authentication-retries 2
banner login ~Unauthorized access is prohibited! Logs are being kept and monitored and unauthorized users may be prosecuted.~
logging console critical
logging trap debugging
logging buffered 51200 debugging
interface Loopback0
 no ip proxy-arp
 no ip redirects
 no ip unreachables
 ip route-cache flow
 exit
interface Null0
 exit
default interface Null0
interface Null0
 no ip unreachables
 exit
interface FastEthernet0/1
 description $FW_OUTSIDE$
 no ip proxy-arp
 no ip redirects
 no ip unreachables
 ip route-cache flow
 ip verify unicast reverse-path
 exit
interface Loopback2
 no ip proxy-arp
 no ip redirects
 no ip unreachables
 ip route-cache flow
 exit
interface Loopback1
 no ip proxy-arp
 no ip redirects
 no ip unreachables
 ip route-cache flow
 exit
interface FastEthernet0/0
 description $FW_INSIDE$
 no ip proxy-arp
 no ip redirects
 no ip unreachables
 ip route-cache flow
 exit

Testing our configuration

One of the configurations applied by the security wizard was the “login local” command under the console line; we can verify that this really is the case by opening a connection through the console.

Cool. As you should notice, our login banner is also displayed. One last thing: We said we will verify if our ccp username’s password still works. Actually, let’s hope it works because, that is the only username we have configured on our router currently.

Whew, it works. So it shows that the minimum password length does not affect the passwords that were configured before that command was added. If we tried adding a password with a length less than six now, we should get an error.

Summary

Now we can save our configuration because we have come to the end of this lab. In this lab, we went through the security audit wizard. We saw that CCP provides us with two wizards: Security Audit and One-step lockdown. They perform similar functions except that the security wizard is more flexible than the one-step lockdown, i.e., it allows us to choose what security features to configure.

This was a somewhat easy lab to configure; the next lab that we will be looking at will be more difficult: zone based firewall. I hope you have found this article insightful and I look forward to writing the next lab in the series.

Further Reading