LAB MANUAL

LAB EXPERIMENT 02 : SECURING NETWORK DEVICES

SECURING NETWORK DEVICES: NETWORK ROUTERS

PERFORMANCE OBJECTIVES

Upon completion of this laboratory exercise, the student technicians/engineers will be able to:
1. Securing the Router for Administrative Access
2. Password Configuration
3. Logging Router Activity

TOOLS & EQUIPMENT

 PC running windows 7 or higher with internet Access, having Packet Tracer 7

 3 Routers (Cisco 1941 with Cisco IOS Release 15.4(3)M2 image with a Security
Technology Package license)
 2 Switches (Cisco 2960 or comparable) (Not Required)
 2 PCs (Windows 7 or 8.1, SSH Client, Kiwi or Tftpd32 Syslog server)
 Serial and Ethernet cables as shown in the topology
 Console cables to configure Cisco networking devices

MATERIALS (if needed)

 None

RESOURCES(if needed)

 None

DISCUSSION
Router is the backbone for communication and if someone want to implement some security
measures in a network, router security configuration is the main topic.

Basic router security involves the following:

o Password configuration
o Logging router activity

COMPUTER NETWORK II 3
 LAB MANUAL
LAB EXPERIMENT 02: SECURING NETWORK DEVICES

Network Topology

Addressing Table

Devic Default Switch

Interface IP Address Subnet Mask
e Gateway Port
R1 F0/1 192.168.1.1 255.255.255.0 N/A S1 F0/1
S0/0/0(DCE) 10.1.1.1 255.255.255.252 N/A N/A
R2 S0/0/0 10.1.1.2 255.255.255.252 N/A N/A
S0/0/1 10.2.2.2 255.255.255.252 N/A N/A
R3 F0/1 192.168.3.1 255.255.255.0 N/A S3 F0/1
S0/0/1 10.2.2.1 255.255.255.252 N/A N/A
PC-A NIC 192.168.1.3 255.255.255.0 192.168.1.1 S1 F0/2
PC-C NIC 192.168.3.3 255.255.255.0 192.168.3.1 S3 F0/2

Objectives

Part 1: Configure Basic Device Settings

• Cable the network as shown in the topology.
• Configure basic IP addressing for routers and PCs.
• Configure PC hosts.
• Verify connectivity between hosts and routers.

Part 2: Control Administrative Access for Routers

4 YANBU UNIVERSITY COLLEGE

LAB MANUAL
LAB EXPERIMENT 02 : SECURING NETWORK DEVICES

• Configure and encrypt all passwords.

• Configure a login warning banner.
• Configure enhanced username password security.

Background / Scenario

The router is a critical component in any network. It controls the movement of data into and
out of the network and between devices within the network. It is particularly important to
protect network routers because the failure of a routing device could make sections of the
network, or the entire network, inaccessible. Controlling access to routers and enabling
reporting on routers is critical to network security and should be part of a comprehensive
security policy.

In this lab, you will build a multi-router network and configure the routers and hosts. Use
various CLI tools to secure local and remote access to the routers, analyze potential
vulnerabilities, and take steps to mitigate them. Enable management reporting to monitor
router configuration changes.

The router commands and output in this lab are from a Cisco 1941 router using Cisco IOS
software, release 15.4(3) M2 (with a Security Technology Package license). Other routers
and Cisco IOS versions can be used. See the Router Interface Summary Table at the end of
the lab to determine which interface identifiers to use based on the equipment in the lab.
Depending on the model of the router, the commands available and output produced may
vary from what is shown in this lab.

Note: Before you begin, ensure that the routers and the switches have been erased and have
no startup configurations.

SAFETY WARNING / CAUTION (if required)

No any

TASK-1:

Configuring Basic Device Setting

A. PROCEDURE
Set up the network topology and configure basic settings, such as interface IP addresses.

Step 1: Cable the network.

Attach the devices, as shown in the topology diagram, and cable as necessary.

Step 2: Configure basic settings for each router.

COMPUTER NETWORK II 5
 LAB MANUAL
LAB EXPERIMENT 02: SECURING NETWORK DEVICES

a. Configure host names as shown in the topology.

Router(config)#hostname R1

b. Configure interface IP addresses as shown in the IP Addressing Table.

c. Configure a clock rate for routers with a DCE serial cable attached to their
serial interface. R1 is shown here as an example.

R1(config)# interface S0/0/0

R1(config-if)# clock rate 64000

d. To prevent the router from attempting to translate incorrectly entered

commands as though they were host names, disable DNS lookup.
R1 is shown here as an example.

R1(config)# no ip domain-lookup

Step 3: Configure PC host IP settings.

Configure a static IP address, subnet mask, and default gateway for PC-A and PC-C as shown
in the IP Addressing Table.

B. OBSERVATIONS

C. ANALYSIS

D. CONCLUSION

TASK-2:

6 YANBU UNIVERSITY COLLEGE

LAB MANUAL
LAB EXPERIMENT 02 : SECURING NETWORK DEVICES

Control Administrative Access for Routers

A. PROCEDURE

 Configure a login warning banner.

 Configure enhanced virtual login security.
 Configure enhanced password security.
 Configure and encrypt passwords.

Note: Perform all tasks on both R1 and R3. The procedures and output for R1 are shown
here.

Configure Passwords on Routers R1 and R3.

Step 1: Configure the enable secret password.

Configure the enable secret encrypted password on both routers. Use the type 9 (SCRYPT)
hashing algorithm.

R1(config)# enable secret cisco12345

How does configuring an enable secret password help protect a router from being
compromised by an attack?

The goal is to always prevent unauthorized users from accessing a device using Telnet, SSH,
or via the console. If attackers are able to penetrate this first layer of defense, using an
enable secret password prevents them from being able to alter the configuration of the
device. Unless the enable secret password is known, a user cannot go into privileged EXEC
mode where they can display the running config and enter various configuration commands
to make changes to the router. This provides an additional layer of security.

Step 2: Configure basic console, auxiliary port, and virtual access lines.

Note: Passwords in this task are set to a minimum of 10 characters but are relatively
simple for the benefit of performing the lab. More complex passwords are
recommended in a production network.

A. Configure a console password and enable login for routers.

For additional security, the exec-timeout command causes the line to log out
After 5 minutes of inactivity.
The logging synchronous command prevents console messages from
Interrupting command entry.

Note: To avoid repetitive logins during this lab, the exec-timeout command can be set to 5,
which prevents it from expiring. However, this is not considered a good security practice.
R1(config)# line console 0
R1(config-line)# password ciscocon
R1(config-line)# exec-timeout 5

COMPUTER NETWORK II 7
 LAB MANUAL
LAB EXPERIMENT 02: SECURING NETWORK DEVICES

R1(config-line)# login
R1(config-line)# logging synchronous

When you configured the password for the console line, what message was displayed?
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________

B. Configure a new password of ciscoconpass for the console.

C. Configure a password for the AUX port for router R1.

R1(config)# line aux 0

R1(config-line)# password ciscoauxpass
R1(config-line)# exec-timeout 5
R1(config-line)# login

D. Telnet from R2 to R1.

R2>telnet 10.1.1.1

Were you able to login? Explain.

___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________

What messages were displayed?

___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________

E. Configure the password on the vty lines for router R1.

R1(config)# line vty 0 4

R1(config-line)# password ciscovtypass
R1(config-line)# exec-timeout 5
R1(config-line)# transport input telnet
R1(config-line)# login

Note: The default for vty lines is now transport input none.
Telnet from R2 to R1 again. Were you able to login this time?
F. Enter privileged EXEC mode and issue the show run command. Can you read the
enable secret password? Explain.

8 YANBU UNIVERSITY COLLEGE

LAB MANUAL
LAB EXPERIMENT 02 : SECURING NETWORK DEVICES

___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________

Can you read the console, aux, and vty passwords? Explain.
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________

G. Repeat the configuration portion of steps 2a through 2f on router R3.

Step 3: Encrypt clear text passwords.

a) Use the service password-encryption command to encrypt the console, aux,

and vty passwords.

R1(config)# service password-encryption

b) Issue the show run command. Can you read the console, aux, and vty
passwords? Explain.

At what level (number) is the default enable secret password encrypted? ______________
At what level (number) are the other passwords encrypted? ______________
Which level of encryption is harder to crack and why?

A. OBSERVATIONS

B. ANALYSIS

C. CONCLUSION

TASK-3:

COMPUTER NETWORK II 9
 LAB MANUAL
LAB EXPERIMENT 02: SECURING NETWORK DEVICES

Configure a Login Warning Banner on Routers R1 and R3.

Step 1: Configure a warning message to display prior to login.

a. Configure a warning to unauthorized users with a message-of-the-day (MOTD)

banner using the banner motd command. When a user connects to one of the routers, the
MOTD banner appears before the login prompt. In this example, the dollar sign ($) is used to
start and end the message.

R1(config)# banner motd $Unauthorized Access is Strictly Prohibited!$

R1(config)# exit

b. Issue the show run command. What does the $ convert to in the output?

A. OBSERVATIONS

B. ANALYSIS

C. CONCLUSION

TASK-4:

10 YANBU UNIVERSITY COLLEGE

LAB MANUAL
LAB EXPERIMENT 02 : SECURING NETWORK DEVICES

Configure Enhanced Username Password Security on Routers R1 and R3.

Step 1: Investigate the options for the username command.

In global configuration mode, enter the following command:

R1(config)# username user01?

Show what options are available?

Step 2: Create a new user account with a secret password.

a. Create a new user account with SCRYPT hashing to encrypt the password.

R1(config)# username user01 secret user01pass

b. Exit global configuration mode and save your configuration.

c. Display the running configuration. Which hashing method is used for the
password?

Step 3: Test the new account by logging in to the console.

a. Set the console line to use the locally defined login accounts.

R1(config)# line console 0

R1(config-line)# login local
R1(config-line)# end
R1# exit

b. Exit to the initial router screen which displays: R1 con0 is now available,
Press RETURN to get started.

c. Log in using the previously defined username user01 and the password
user01pass. What is the difference between logging in at the console now and
previously?

d. After logging in, issue the show run command.

Were you able to issue the command? Explain.

e. Enter privileged EXEC mode using the enable command.

Were you prompted for a password? Explain.

Step 4: Test the new account by logging in from a Telnet session.

a. From PC-A, establish a Telnet session with R1.

COMPUTER NETWORK II 11
 LAB MANUAL
LAB EXPERIMENT 02: SECURING NETWORK DEVICES

Telnet is disabled by default in Windows 7. If necessary, search online for the steps
to enable Telnet in Windows 7.

PC-A>telnet 192.168.1.1

Were you prompted for a user account? Explain.

b. Set the vty lines to use the locally defined login accounts.

R1(config)# line vty 0 4

R1(config-line)# login local

c. From PC-A, telnet to R1 again.

PC-A>telnet 192.168.1.1

Were you prompted for a user account? Explain.

d. Log in as user01 with a password of user01pass.

e. During the Telnet session to R1, access privileged EXEC mode with the enable
command.

What password did you use?

f. For added security, set the AUX port to use the locally defined login accounts.

12 YANBU UNIVERSITY COLLEGE

LAB MANUAL
LAB EXPERIMENT 02 : SECURING NETWORK DEVICES

R1(config)# line aux 0

R1(config-line)# login local

g. End the Telnet session with the exit command.

A. OBSERVATIONS

B. ANALYSIS

C. CONCLUSION

FINAL CHECKLIST (if applicable)

1. Clean your equipment, materials, and work benches before you leave
2. Return all equipment and materials to their proper storage area
3. Submit your lab report on time

COMPUTER NETWORK II 13