In the previous article, we concluded our lab on Network Address Translation (NAT). So far we have gone through two CCP labs: ACLs and NAT. In this article, we will be moving on to our third lab, which has to do with Security Auditing. This will be an easy lab to perform because CCP provides a wizard for you to use. Let’s get on with it.
Our network diagram has evolved into what is shown below:
The configuration tasks for our lab #3 are as follows:
* Perform a security audit for RTR1 and fix the issues. Fa0/0 should be your trusted interface while Fa0/1 is your untrusted interface. Use 10.0.0.1 as the logging server.
* Do NOT enable firewall rules or AAA settings on any interface.
Your entire configuration should be done through the Cisco Configuration Professional tool.
Configuration Configuration Solutions
Cisco provides a very cool feature through the CCP tool that allows you to perform security audits on your devices. The security audit wizard checks the device’s configuration against a list of predefined recommended configurations and it is able to tell you where your configuration has issues.
Remember the AutoSecure feature on the Cisco IOS, which provides a way to lock down your network device using a set of defined security features? (The AutoSecure feature is implemented through the ‘”One-step lockdown’ wizard in CCP). Well, the Security Audit wizard is the flexible ‘”brother'” of the One-step lockdown. The difference between the One-step lockdown wizard and the Security audit wizard is that the former implements ALL the sets of defined security features without giving you any options; the Security Audit wizard on the other hand gives you the option of choosing what features to implement. Enough talk, let’s get to it.
I will select RTR1 as the community member and navigate to Configure > Security > Security Audit.
We will be performing the security audit but I will would like to show you the difference between the two wizards shown above, as stated by CCP; therefore, I will click on the One-step lockdown button.
As you can see from the warning dialog, One-step lockdown will lock down your router without giving you any options, although you have the choice to undo some of the settings at a later time. Let’s continue with our security audit. I’d click “No” on this warning dialog and then click on the “Perform security audit” button.
The first screen that is displayed gives me information about what the wizard will do. This wizard is very easy to use and most of the actions you will perform will be clicking the “Next” button.
The task told us to specify Fa0/0 as the trusted interface while Fa0/1 is the untrusted interface. This would have been more useful to us if we were applying firewall rules, but the second task tells us not to.
That’s a lot of red crosses, meaning that those features failed the checklist. Notice that you can save the report and open it at a later time or perhaps include it in a presentation to management. The saved report can be opened using a web browser. At this point, the “audit” is complete but we can go ahead and close this report so that we can fix some of the issues identified.
If I wanted to fix all the identified issues, I would have just clicked the Fix All button. However, in our case, we will not be fixing all issues; but I can still click that button and then uncheck the boxes for the problems I won’t be fixing. Whatever works best.
You can see from the above snapshot that I have unchecked the field to enable firewall rules and also AAA.
Due to some of the settings we want to fix, there will be more prompts for us to fill in details for, including enable secret and login banner.
I set my enable secret to “cisco” (a very bad choice) but I get an error dialog telling me that my password must be six characters or more.
This is one of the security features that will be enabled (minimum password length of six). I wonder what will happen to our less-than-six-characters passwords currently on our router (e.g., the “ccp” username). We will test this later.
The next screen that shows is the summary screen giving me details of what will be configured.
The configuration to be sent to the device is as follows:
access-list 1 remark HTTP Access-class list access-list 1 remark CCP_ACL Category=1 access-list 1 permit 10.0.0.1 0.0.0.255 access-list 1 deny any enable secret level 15 0 ******** line vty 0 4 transport input telnet ssh exit line con 0 login local exec-timeout 10 0 transport output telnet exit line aux 0 login local exec-timeout 10 0 transport output telnet exit logging 10.0.0.1 no service pad service password-encryption service tcp-keepalives-in service tcp-keepalives-out no ip bootp server no ip source-route service sequence-numbers service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone scheduler allocate 4000 1000 ip http access-class 1 ip tcp synwait-time 10 no cdp run security authentication failure rate 3 log security passwords min-length 6 ip ssh time-out 60 ip ssh authentication-retries 2 banner login ~Unauthorized access is prohibited! Logs are being kept and monitored and unauthorized users may be prosecuted.~ logging console critical logging trap debugging logging buffered 51200 debugging interface Loopback0 no ip proxy-arp no ip redirects no ip unreachables ip route-cache flow exit interface Null0 exit default interface Null0 interface Null0 no ip unreachables exit interface FastEthernet0/1 description $FW_OUTSIDE$ no ip proxy-arp no ip redirects no ip unreachables ip route-cache flow ip verify unicast reverse-path exit interface Loopback2 no ip proxy-arp no ip redirects no ip unreachables ip route-cache flow exit interface Loopback1 no ip proxy-arp no ip redirects no ip unreachables ip route-cache flow exit interface FastEthernet0/0 description $FW_INSIDE$ no ip proxy-arp no ip redirects no ip unreachables ip route-cache flow exit
Testing our configuration
One of the configurations applied by the security wizard was the “login local” command under the console line; we can verify that this really is the case by opening a connection through the console.
Cool. As you should notice, our login banner is also displayed. One last thing: We said we will verify if our ccp username’s password still works. Actually, let’s hope it works because, that is the only username we have configured on our router currently.
Whew, it works. So it shows that the minimum password length does not affect the passwords that were configured before that command was added. If we tried adding a password with a length less than six now, we should get an error.
Now we can save our configuration because we have come to the end of this lab. In this lab, we went through the security audit wizard. We saw that CCP provides us with two wizards: Security Audit and One-step lockdown. They perform similar functions except that the security wizard is more flexible than the one-step lockdown, i.e., it allows us to choose what security features to configure.
This was a somewhat easy lab to configure; the next lab that we will be looking at will be more difficult: zone based firewall. I hope you have found this article insightful and I look forward to writing the next lab in the series.