Ngee Ann Polytechnic

Electronic and Computer Engineering Division

Fundamentals of Network Security

Case Study

Objectives

• Configure IOS Firewall Router as Secure Shell (SSH) server version 1

• Using show and debug commands to troubleshoot SSH
• Configure logging and audit trails
• Define and apply inspection rules access control list (ACLs)
• Test and verify Context-based Access Control (CBAC)

Names _______________________________ Date ____________

_______________________________
_______________________________
_______________________________

Class ____________

EXPT_CASE_STUDY.DOC 1 Oct 2010 Rev 1.1

Ngee Ann Polytechnic
Electronic and Computer Engineering Division

Network Diagram

.10 2nd

Scenario

inside
Company XYZ has a firewall router placed on its perimeter network. The firewall
router needs to be configured to allow only secure telnet from any remote access. This

trusted
secure telnet uses SSHv1 protocol that uses a local database for its username and
password pair. In addition to this, the company’s administrator needs to enable

server
CBAC filtering to monitor any SSH session that occurs through its firewall.

Tools/Preparation

4 2611XM routers (2 are loaded with Advanced Security IOS version 12.3(14)T )
(inside)
2 student notebooks with built-in wireless LAN

Fa0/0
PCMCIA wireless card – for notebooks without built-in wireless LAN
PUTTY SSH Client software

There are two basic segments for the IOS Firewall Router topology.

Name Trust level Type Network Physical port

.11 .1
Inside Trusted (100%) Private LAN 10.0.X.0/24 FastEthernet 0/0

Outside Untrusted (0%) Public LAN 172.30.X.0/24 FastEthernet 0/1

X represents the student number; e.g. the inside network for student1 is 10.0.1.0/24.

EXPT_CASE_STUDY.DOC 2
10.0.1.0/24 Oct 2010 Rev 1.1
Ngee Ann Polytechnic
Electronic and Computer Engineering Division

Part I – Configure SSHv1

Figure 1 shows the logical topology for this case study. The main task for students is
to configure RouterX based on the following policy:

1. Configure all the required interfaces

2. Routing protocol used: EIGRP in AS 1
3. Name of Router : <your student number>; e.g.: 10036688E
4. Must have enable secret (password must follow policy (c))
5. Access to router
a. Console Access
i). Console line password is required (password must follow policy (c))

b. VTY Access
i). Login using local username and password pair.
Username: netwarrior
Password: Student1234
ii). Only SSH protocol may be used for VTY access.
iii). Use only SSH version 1 protocol
iv). SSH domain–name: np.com
v). Generate 512-bit RSA keys
vi). SSH maximum timeout value allowed: 15 seconds
vii). SSH maximum amount of authentication retries allowed: 3

c. Password requirements
i). All passwords used must be at least eight-characters long and consist
of a mixture of alphanumeric, upper-case and lower-case characters.
Dictionary words (regardless of length) are not to be used as passwords.
ii). All passwords in the configuration file must be encrypted.
(Find out this command in cisco.com on how to turn on password
encryption.)

6. Logging and debugging

a. On your router, enable logging on console.
b. Turn on debugging for SSH.

7. Verify SSH parameters and its version

What is the command to verify the above?

8. From your router, establish a SSH connection to your peer router 172.30.P.2
using local username-password pair

Write down the command to do the above.

EXPT_CASE_STUDY.DOC 3 Oct 2010 Rev 1.1

Ngee Ann Polytechnic
Electronic and Computer Engineering Division

9. From your router, disconnect the current SSH connection to your peer router
172.30.P.2.

What is the command to perform this operation?

10. Save your configuration in your router and then copy the running-configuration
to a text file putting it as Part I configuration.
.

Part II – Apply CBAC filter to the router

1. Set the router’s clock to the current date and time.

2. Make changes to the VTY access to only allow telnet instead of SSH.
3. Enable audit trail.
4. Define and apply inspection rules and ACLs based on the following:
a. Define a CBAC rule named MYRULE to inspect all TCP and FTP traffic
with timeout 300 seconds. Inspect ICMP traffic as well.
b. Define an ACL to allow outbound ICMP traffic and block all other inside-
initiated traffic.
c. Define another ACL to allow inbound ICMP, EIGRP and telnet traffic while
blocking all other outside-initiated traffic.
d. Apply the inspection rule and respective ACLs to the right interfaces.

5. Test and verify CBAC as follows:

a. Verify all the inspected interfaces

What is the command to verify all inspected interfaces?

b. From your router, test the connectivity to your peer router 172.30.P.2.

What is the command to display the ICMP session in detail?

c. From your student notebook (10.0.X.10), establish a telnet connection to

your peer router 172.30.P.2 using local username-password pair and view
the current session in detail in your router.

From the output displayed, how can this session be identified as a Telnet
connection?

EXPT_CASE_STUDY.DOC 4 Oct 2010 Rev 1.1

Ngee Ann Polytechnic
Electronic and Computer Engineering Division

Indicate which ACL number shows Telnet traffic matches.

6. Save and copy the current configuration to the same text file as above putting it
as Part II configuration.

Part III - Complete all sections and submit the completed worksheet in the
Group Journal in MeL.

1. Capture the outputs of the following commands into a text file:

i). Name your text file: <your_name>.txt.
ii). Router# term length 0
iii). Router# show run
iv). Router# show crypto key mypubkey rsa

2. Record the username/password, line password and enable secret password you
have used on top of the same text file that you have captured. Your text file must
follow the structure below:
i). Username password - XXXXXXXXX
ii). Console line password - XXXXXXXX
iii). Enable secret password – XXXXXXXX
iv). Part I configuration  show run output
v). RouterX# show crypto key mypubkey rsa  capture output
vi). Part II configuration  shown run output

3. Save the text document again and then submit INDIVIDUALLY to Journal as
follows:

MeL  FNS  Tools  Groups  Class  Group Journal  Create Journal

Entry
Title: <your student name (student number)>
Attach File  Browse for Local File
Comments: FNS Case Study 1
Then click Post Entry.

4. Hand-up this written worksheet to TSO-on-duty for collection to be marked by

your instructor. The submission deadline is 21 Jan 2010 (Fri), 12:00 noon
(unless approved otherwise by your respective instructor).

EXPT_CASE_STUDY.DOC 5 Oct 2010 Rev 1.1