Throughout the course of this book, you have discovered the importance of cybersecurity operations and have gained skills in using various technologies to detect and analyze threats on an enterprise network. Now it's about time to take things to the next level by learning how to implement various security controls and technologies to prevent and mitigate cyber attacks.
Throughout the course of this chapter, you will learn how to implement various Cisco security solutions on a network to mitigate various types of threats and attacks. You will learn how to implement Authentication, Authorization, and Accounting (AAA), a zone-based firewall, and an Intrusion Prevention System (IPS) on an enterprise network.
In this chapter, we will cover the following topics:
Let's dive in!
To follow along with the exercises in this chapter, please ensure that you have Cisco Packet Tracer 7.3.1 or higher: https://www.netacad.com/courses/packet-tracer.
Link for Code in Action video: https://bit.ly/3aAXc7C
In this section, you will learn how to implement AAA within a Cisco environment. You will discover how to implement local AAA and server-based AAA using Remote Authentication Dial-In User Service (RADIUS) and Terminal Access Controller Access-Control System Plus (TACACS+) protocols on a Cisco Internetwork Operating System (IOS) router. The objective of this lab is to provide you with hands-on experience and skills in implementing AAA within an enterprise network.
Before you get started, go to the Cisco Networking Academy website to enroll in the Intro to Packet Tracer course at https://www.netacad.com/courses/packet-tracer. This free online course will teach you how to download and use the Cisco Packet Tracer application to its fullest potential. This is a mandatory requirement if you do not have prior experience with Cisco IOS devices and the Cisco Packet Tracer application.
Before building the lab environment, the following are a couple of important factors:
Once the Cisco Packet Tracer application is installed on your computer, please build the following network topology for this lab exercise:
Once you have connected each device as shown in the preceding figure, we'll be using the following IPv4 addressing scheme to configure the IP addresses on each device:
To get started with deploying the Zone-Based Policy Firewall (ZPF), use the instructions mentioned in the following sections.
- Client Name: R2
- Client IP: 192.168.1.1
- Secret: radiuspassword
- ServerType: Radius
The following screenshot shows the parameters on the RADIUS server:
- Username: RemoteUser
- Password: CyberOps2
The following screenshot shows how the parameter needs to be configured:
- Client Name: R3
- Client IP: 10.1.1.6
- Secret: tacacspassword
- ServerType: Tacacs
The following screenshot shows the parameters on the server:
- Username: RemoteUser
- Password: CyberOps3
The following screenshot shows the parameters on the server:
Router>enable
Router#configure terminal
Router(config)#hostname R1
R1(config)#banner motd %Keep Out!!!%
R1(config)#no ip domain-name lookup
R1(config)#interface gigabitEthernet 0/1
R1(config-if)#description Connected to LAN
R1(config-if)#ip address 172.16.1.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#interface gigabitEthernet 0/0
R1(config-if)#description Connected to R2
R1(config-if)#ip address 10.1.1.2 255.255.255.252
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#router ospf 1
R1(config-router)#passive-interface gigabitEthernet 0/1
R1(config-router)#network 172.16.1.0 0.0.0.255 area 0
R1(config-router)#network 10.1.1.0 0.0.0.3 area 0
R1(config-router)#exit
R1(config)#enable secret cisco123
R1(config)#username Admin1 secret password1
R1(config)#aaa new-model
R1(config)#aaa authentication login default local
R1(config)#line console 0
R1(config-line)#login authentication default
R1(config-line)#exit
R1(config)#ip domain-name ciscolab.local
R1(config)# crypto key generate rsa general-keys modulus 1024
R1(config)#aaa authentication login SSH-Auth local
R1(config)#line vty 0 15
R1(config-line)#login authentication SSH-Auth
R1(config-line)#transport input ssh
R1(config-line)#exit
R1(config)#router ospf 1
R1(config-router)#passive-interface gigabitEthernet 0/1
R1(config-router)#network 192.168.1.0 0.0.0.255 area 0
R1(config-router)#network 10.1.1.0 0.0.0.3 area 0
R1(config-router)#network 10.1.1.4 0.0.0.3 area 0
R1(config-router)#exit
R1(config)#enable secret cisco123
R1(config)#username Admin2 secret password2
R2(config)#radius-server host 192.168.1.100
R2(config)#radius-server key radiuspassword
R2(config)#aaa new-model
R2(config)#aaa authentication login default group radius local
R2(config)#line console 0
R2(config-line)#login authentication default
R2(config-line)#exit
R2(config)#ip domain-name ciscolab.local
R2(config)# crypto key generate rsa general-keys modulus 1024
R2(config)#line vty 0 15
R2(config-line)#login authentication default
R2(config-line)#exit
R3(config)#router ospf 1
R3(config-router)#passive-interface gigabitEthernet 0/1
R3(config-router)#network 172.17.1.0 0.0.0.255 area 0
R3(config-router)#network 10.1.1.4 0.0.0.3 area 0
R3(config-router)#exit
R3(config)#enable secret cisco123
R3(config)#username Admin3 secret password3
R3(config)# tacacs-server host192.168.1.200
R3(config)# tacacs-server key tacacspassword
R3(config)#aaa new-model
R3(config)#aaa authentication login default group tacacs+ local
R3(config)#line console 0
R3(config-line)#login authentication default
R3(config-line)#exit
R3(config)#ip domain-name ciscolab.local
R3(config)# crypto key generate rsa general-keys modulus 1024
R3(config)#line vty 0 15
R3(config-line)#login authentication default
R3(config-line)#exit
Remember that the router will use AAA as the primary method for user authentication, and only if the AAA service or server is not available will the router use the local database.
As shown in the preceding screenshot, logon to the router was successful. This validates that AAA was configured correctly. If AAA was not configured properly, the router will not be able to use the AAA server for authentication, which will result in using the account on the local database to log in to the device. Keep in mind that when entering the password on the terminal interface, Cisco IOS keeps it invisible as a security measure.
Having completed this lab, you have gained the skills and hands-on experience for implementing both local and server-based AAA for user authentication in a Cisco environment. In the next section, you will learn how to deploy a zone-based firewall on an enterprise network.
In this section, you will learn how to implement a ZPF using a Cisco IOS router on a network. To get started with this exercise, we'll be using the Cisco Packet Tracer application. This application will allow us to create a simulated Cisco environment to practice our skills and gain experience.
The objective of this lab is to configure a Cisco IOS router as a ZPF. This will allow the ZPF to allow (permit) host devices on the internal network (inside zone) to access external devices (outside zone). However, it will restrict traffic that is originating from the outside zone that is attempting to access any resources within the inside zone.
Before building the lab environment, the following are a couple of important factors:
Once the Cisco Packet Tracer application is installed on your computer, please build the following network topology for this lab exercise:
As shown in the preceding diagram, the corporate network is connected to the Gi0/0 interface of the HQ router, while the internet is connected to the Gi0/0 interface of the same HQ router.
Once you have connected each device as shown in the preceding figure, we'll be using the following IPv4 addressing scheme to configure the IP addresses on each device:
To get started with deploying the ZPF, use the instructions mentioned in the following sections.
Using the IP addressing table, configure the IP address, subnet mask, and default gateway on both PC 1 and the web server.
Router>enable
Router#show version
The following screenshot shows that the security technology license is not active/missing:
Router#configure terminal
Router(config)#license boot module c2900 technology-package securityk9
An end user license agreement will appear. Type yes and hit Enter to agree. Then, type exit to move back to privilege mode on the HQ router.
Router#write
Router#copy running-config startup-config
Press Enter two times to save the configurations. Then, use the reload command to reboot the device:
Router#reload
Router>enable
Router#show version
The following screenshot indicates that the security technology license is now active:
Router>enable
Router#configure terminal
Router(config)#hostname HQ
HQ(config)#interface gigabitEthernet 0/0
HQ(config-if)#description Connected to ISP
HQ(config-if)#ip address 10.1.1.2 255.255.255.252
HQ(config-if)#no shutdown
HQ(config-if)#exit
HQ(config)#interface gigabitEthernet 0/1
HQ(config-if)#description Connected to LAN
HQ(config-if)#ip address 192.168.1.1 255.255.255.0
HQ(config-if)#no shutdown
HQ(config-if)#exit
HQ(config)#ip route 0.0.0.0 0.0.0.0 10.1.1.1
Router>enable
Router#configure terminal
Router(config)#hostname ISP
ISP(config)#interface gigabitEthernet 0/0
ISP(config-if)#description Connected to HQ
ISP(config-if)#ip address 10.1.1.1 255.255.255.252
ISP(config-if)#no shutdown
ISP(config-if)#exit
ISP(config)#interface gigabitEthernet 0/1
ISP(config-if)#description Connected to Web Server
ISP(config-if)#ip address 192.0.2.1 255.255.255.0
ISP(config-if)#no shutdown
ISP(config-if)#exit
ISP(config)#ip route 0.0.0.0 0.0.0.0 10.1.1.2
On the HQ router, we will create two security zones, an inside zone that is assigned to the internal interface (gi0/1), and an outside zone that is assigned to the external interface (gi0/0):
Router>enable
Router#configure terminal
Router(config)#hostname HQ
HQ(config)#zone security Inside-Zone
HQ(config-sec-zone)#exit
HQ(config)#zone security Outside-Zone
HQ(config-sec-zone)#exit
HQ(config)#ip access-list extended Internal-Traffic
HQ(config-ext-nacl)#permit ip 192.168.1.0 0.0.0.255 any
HQ(config-ext-nacl)#exit
HQ(config)#class-map type inspect match-all Internal-Class-Map
HQ(config-cmap)#match access-group name Internal-Traffic
HQ(config-cmap)#exit
Create a policy map with the name Inside-2-Outside, and then configure it to inspect and use the information from the Internal-Class-Map class map:
HQ(config)#policy-map type inspect Inside-2-Outside
HQ(config-pmap)#class type inspect Internal-Class-Map
HQ(config-pmap-c)#inspect
HQ(config-pmap-c)#exit
HQ(config-pmap)#exit
HQ(config)#zone-pair security Inside-2-Outside-ZonePair source Inside-Zone destination Outside-Zone
HQ(config-sec-zone-pair)#service-policy type inspect Inside-2-Outside
HQ(config-sec-zone-pair)#exit
HQ(config)#interface gigabitEthernet 0/1
HQ(config-if)#zone-member security Inside-Zone
HQ(config-if)#exit
HQ(config)#interface gigabitEthernet 0/0
HQ(config-if)#zone-member security Outside-Zone
HQ(config-if)#exit
As shown in the preceding screenshot, PC1 on the inside zone is able to communicate with the web server on the outside zone.
The following information can be gathered from the preceding screenshot:
- The existing zone pairs: Inside-2-Outside-ZonePair
- The policy map: Inside-2-Outside
- The class map: Internal-Class-Map
- The ACL: Internal-Traffic
- The source IP address and port: 192.168.1.10:33
- The destination IP address and port: 192.0.2.10:0
- Protocol: ICMP
However, when you try to perform a ping test from the web server to PC1, the connection will fail. This is simply due to the ZPF policy to filter traffic originating from the outside zone to the inside zone, as shown:
Furthermore, you can use the following commands to troubleshoot ZPF configurations:
Having completed this lab, you have gained the hands-on experience and skills to implement a ZPF within a Cisco environment to filter traffic between networks. In the next section, you will learn how to configure a network-based IPS.
In this section, you will learn how to implement an IPS on a Cisco IOS router to scan and filter inbound traffic to the corporate network. As with the previous hands-on exercises, we will be using the Cisco Packet Tracer application to simulate a Cisco environment.
Before building the lab environment, the following are a couple of important factors:
Once the Cisco Packet Tracer application is installed on your computer, please build the following network topology for this lab exercise:
As shown in the preceding diagram, the HQ router is connected to the 192.168.1.0/24 network, which represents an internal corporate network. The objective is to configure the HQ router to also function as an IPS to scan and filter inbound traffic that is originating from the ISP and the internet.
Once you have connected each device as shown in the preceding figure, we'll be using the following IPv4 addressing scheme to configure the IP addresses on each device:
To get started with configuring the IPS, use the following instructions.
Router>enable
Router#show version
The following screenshot shows that the security technology license is not active/missing:
Router#configure terminal
Router(config)#license boot module c1900 technology-package securityk9
An end user license agreement will appear. Type yes and hit Enter to agree. Then, type exit to move back to privilege mode on the HQ router.
Router#write
Router#copy running-config startup-config
Press Enter two times to save the configurations. Then, use the reload command to reboot the device:
Router#reload
Router>enable
Router#show version
The following screenshot indicates that the security technology license is now active:
Router#mkdir ciscoipsdir
Create directory filename [ipsdir]?
Created dir flash:ipsdir
When the router asks whether you want to accept the changes, simply hit Enter on your keyboard as an indication of yes.
Router#configure terminal
Router(config)#ip ips config location flash:ciscoipsdir
Router(config)#ip ips name ciscoipsrule
Router(config)#exit
It's important to enable the logging of the IPS events on the HQ router whenever a security event occurs, hence we enabled the syslog feature on the syslog server at the beginning of this lab:
Router#clock set 10:45:00 18 february 2021
Router#configure terminal
Router(config)#service timestamps log datetime msec
Router(config)#ip ips notify log
Router(config)#logging host 192.168.1.20
Router(config)#ip ips signature-category
Router(config-ips-category)#category all
Router(config-ips-category-action)#retired true
Router(config-ips-category-action)#exit
Router(config-ips-category)#category ios_ips basic
Router(config-ips-category-action)#retired false
Router(config-ips-category-action)#exit
Router(config-ips-category)#exit
Do you want to accept these changes? [confirm]
When the router asks whether you want to accept the changes, simply hit Enter on your keyboard as an indication of yes.
Use the following commands to apply the IPS rule to inspect and filter traffic that is leaving the gigabitEthernet 0/1 interface on the HQ router:
Router(config)#interface gigabitEthernet 0/1
Router(config-if)#ip ips ciscoipsrule out
Router(config-if)#exit
Router(config)#ip ips signature-definition
Router(config-sigdef)#signature 2004 0
Router(config-sigdef-sig)#status
Router(config-sigdef-sig-status)#retired false
Router(config-sigdef-sig-status)#enabled true
Router(config-sigdef-sig-status)#exit
This configuration will block any ICMP Echo Request messages that are originating from outside the 192.168.1.0/24 network.
Router(config-sigdef-sig)#engine
Router(config-sigdef-sig-engine)#event-action produce-alert
Router(config-sigdef-sig-engine)#event-action deny-packet-inline
Router(config-sigdef-sig-engine)#exit
Router(config-sigdef-sig)#exit
Router(config-sigdef)#exit
Router(config-sigdef-sig)# Do you want to accept these changes? [confirm]
When the router asks whether you want to accept the changes, simply hit Enter on your keyboard as an indication of yes.
Important note
To learn more about Cisco IPS Signature 2004, please refer to the following URL: https://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=2004.
Router>enable
Router#configure terminal
Router(config)#hostname HQ
HQ(config)#interface gigabitEthernet 0/0
HQ(config-if)#description Connected to ISP
HQ(config-if)#ip address 10.1.1.2 255.255.255.252
HQ(config-if)#no shutdown
HQ(config-if)#exit
HQ(config)#interface gigabitEthernet 0/1
HQ(config-if)#description Connected to LAN
HQ(config-if)#ip address 192.168.1.1 255.255.255.0
HQ(config-if)#no shutdown
HQ(config-if)#exit
HQ(config)#ip route 0.0.0.0 0.0.0.0 10.1.1.1
HQ(config)#exit
Router>enable
Router#configure terminal
Router(config)#hostname ISP
ISP(config)#interface gigabitEthernet 0/0
ISP(config-if)#description Connected to HQ
ISP(config-if)#ip address 10.1.1.1 255.255.255.252
ISP(config-if)#no shutdown
ISP(config-if)#exit
ISP(config)#interface gigabitEthernet 0/1
ISP(config-if)#description Connected to Web Server
ISP(config-if)#ip address 192.0.2.1 255.255.255.0
ISP(config-if)#no shutdown
ISP(config-if)#exit
HQ(config)#exit
ISP(config)#ip route 0.0.0.0 0.0.0.0 10.1.1.2
As shown in the preceding screenshot, the IPS storage location is set to flash:ciscoipsdir.
The following screenshot shows the events that are created through syslog; there's only one active signature, the IPS rule that we created earlier, and the IPS rule that is configured under the interface:
As shown in the preceding screenshot, PC1 can successfully send ping messages outside the 192.168.1.0/24 network.
As shown in the preceding screenshot, devices that are outside the 192.168.1.0/24 network will not be able to send ping messages such as ICMP Echo Request packets. This action was configured to deny (terminate) inline packets that met the criteria.
*Feb 18, 10:57:07.5757: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:25 [192.0.2.10 -> 192.168.1.10:0] RiskRating:25
*Feb 18, 10:57:13.5757: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:25 [192.0.2.10 -> 192.168.1.10:0] RiskRating:25
Notice how each syslog message contains the timestamp and details pertaining to the security event. Additionally, these logs are sent to the syslog server on the network.
Having completed this exercise, you have gained hands-on skills on how to implement an IPS using a Cisco IOS router within a network. In the next section, you will discover how to implement various layer 2 security solutions.
During the course of this chapter, you have discovered how to implement various Cisco security technologies that use AAA to handle the authentication process when a user is attempting to log in to a network device. Additionally, you have gained hands-on experience of configuring a Cisco IOS router to function as a zone-based firewall to filter inbound traffic from an untrusted zone. Lastly, you have gained the skills for configuring an IPS to detect and block network-based intrusions.
I hope this chapter has been informative for you and will prove helpful in your journey toward learning the foundations of cybersecurity operations and gaining your Cisco Certified CyberOps Associate certification. In the next chapter, you will learn how to implement various security technologies within a Cisco environment.
For more information on the topics covered in this chapter, refer to the following links:
52.14.253.170