CIS-4080 Homework #1: Securing the Router

Due: Friday, January 27, 2023

Reading: ...

Part 1

In this part you will configure some security settings on a router in Packet Tracer. You will first need to download and install Packet Tracer for your platform. If you have a Cisco Networking Academy account, you can log into the Networking Academy page and download Packet Tracer from there. If you don't have a Networking Academy account, create an account for yourself on Cisco's Skills for All site, enroll in the introductory Packet Tracer course (which is short and might be worth doing), and download Packet Tracer from there.

Proceed as follows:

1. Load the file homework-01.pkt into Packet Tracer. The network contains one router, one switch, and four PCs. None of the devices are configured in any way.

   Alice is the primary network administrator for the organization. Bob is a junior network administrator with limited privilege. Carol is an ordinary, legitimate user. Mallory is a malicious attacker who wishes to take over the router R1.

2. Imagine that you are Alice. Log into the console of R1 (click on the router icon and select the "CLI" tab) to do its initial configuration. Start by giving the interfaces IP addresses:

       Router> enable
       Router# configure terminal
       Router(config)# interface GigabitEthernet 0/0
       Router(config-if)# ip address 192.168.0.254 255.255.255.0
       Router(config-if)# no shutdown
       Router(config-if)# exit
       Router(config)# interface GigabitEthernet 0/1
       Router(config-if)# ip address 192.168.1.254 255.255.255.0
       Router(config-if)# no shutdown
       Router(config-if)# exit
       Router(config)#
     

3. Next, set the IP address information on each of the PCs (click on the PC icon and select the "Config" tab). In the "Global Settings" set the default gateway to be the IP address of the router interface connected to the PC. For example, Carol's PC is on the 192.168.0.0/24 network, so her default gateway is 192.168.0.254

   In the FastEthernet0 settings, set the IPv4 address of each PC appropriately using the netmask 255.255.255.0.

4. There should now be connectivity around the network. From Alice's PC try pinging Carol's PC. Do this by opening the "Desktop" tab on Alice's PC and selecting "Command Prompt." Then use the command:

         C:\> ping 192.168.0.1
       

   Verify that each PC can ping the other three.

5. Alice doesn't want to go into the wiring closet and plug her laptop into the console port of the router every time she needs to update its configuration. She wants to access the router remotely via SSH from her office.

   Go through the "global settings" and "console access" settings in the Basic Cisco Device Settings document to give the router a reasonable initial configuration. Do not set up telnet access. Instead, set up SSH access as described in the document, but also create a second user named jr-admin using a "secret" of "jr-cisco" operating at privilege level 5. Please use this password despite how terrible it is, so I can evaluate your work later. Set the SSH authentication retries to 5 before disconnection. See slide #4 in Securing Net Devices, Part 2

6. Configure the system so that if 3 attempts are made to log in during a two-minute interval, the system blocks further log in attempts for 5 minutes. How is this different from the SSH authentication retries setting? Also configure the system so that failed log in attempts are logged. See slide #22 in Securing Net Devices, Part 1

7. Configure privilege level 5 so that it includes the ability to use the reload command. This command reboots the router. Thus, the jr-admin has only this extra power over an "ordinary" (level 1) user. (Alice is skeptical of Bob's skills right now). See slide #13 in Securing Net Devices, Part 2

8. Very Important! Execute the following command to save your final configuration to non-volatile storage. If you don't do this, the configuration will revert to its original setting when you reboot the router!

         R1# copy running-config startup-config
       

9. Now it's time to check things that should be allowed. Verify that when the admin user logs in the privilege level is 15 (use the show privilege command). Verify that when the jr-admin logs in the privilege level is 5. To do this, open the "Command Prompt" on Alice's PC and use a command such as:

         C:\> ssh -l admin 192.168.1.254
       

   Log out and then repeat this check using the jr-admin account.

10. While logged into the router as jr-admin, verify that the router can be rebooted via the reload command. Give Packet Tracer a couple of minutes to simulate the reboot before continuing.

11. Verify that if three login attempts are made "quickly" the router blocks future attempts for two minutes (about).

12. Verify that the failed login attempts are being logged.

13. Now check things that should not be allowed. Verify that the jr-admin user is not able to, for example, change the IP address assignments of the router's interfaces.

Part 2

In this part... [FINISH ME]

Submit to Canvas your modified homework-01.pkt

Last Revised: 2023-01-23
© Copyright 2023 by Peter C. Chapin <pchapin@vtc.edu>