Scenario

UKSports is a supplier of Taekwondo sparring equipment to TKD schools in the UK and Europe. The company has recently acquired new administration premises in London and you have been asked to implement network security on their edge routers and LAN switches  and provide evidence that it is secure.

IP Addressing Table

You have been given a detailed security plan for UKSports and have been specifically asked to undertake the following implementation tasks:

Part 1 - Basic network device configuration

Step 1 - Basic router configuration

• Configure router hostnames (as specified in the scenario)
• Configure IP addresses as described in the IP Addressing Table
• Configure a clock rate of 64000 in the appropriate serial interfaces

Step 2 - Static Routes

• Configure a static default route on edge routers LONDON and GERMANY
• Configure a static route on the ISP router, from GERMANY to the LONDON's LAN and from LONDON to the GERMANY's LAN, specify an interface as the exit parameter.

Step 3 - PC Configuration

• Configure appropriate IP addresses, subnet masks and default gateways for each PC

Question 1. In your report, include several screenshots showing that there is communication between the routers and the PCs.

Part 2 - Secure Network Routers

Step 1 - Configure Passwords and login banner

• Define a minimum length of 8 for all passwords
• Encrypt all plain text passwords
• Configure the password class123 as the privileged password and cisco123 on the console line
• Configure the warning banner: Unauthorised access prohibited

Step 2 - Configure Local Authentication using AAA on edge routers (LONDON and GERMANY)

• Create a local user account of UKAdmin01 with a secret password of UKAdmin01pa55 and a the highest privilege level
• Enable AAA services
• Create a default login authentication method list using local authentication as the first option and the enable password as the backup option

Question 2. In your report, provide evidence that the local database and the default login method is working correctly.

Step 3 - Configure SSH Server on the edge routers (LONDON and GERMANY)

• Configure the domain name UKSPORTS.com
• Configure all the incoming vty lines to specify that Level 15 users will default to privilege exec mode when accessing the VTY lines. All other users will default to exec mode. Specify that only SSH connections will be allowed
• Configure the RSA keys with 1024 bits

Question 3. In your report, provide evidence that SSH is working correctly.

Step 4 - Secure against login attacks on LONDON and GERMANY

• Set blocking period when login attack detected to 60 seconds
• Maximum login failures with the device to 2
• Maximum time period for crossing the failed login attempts to 30 seconds
• Log all failed login attempts

Step 5 - Configure a Zone-based policy firewall on LONDON

• Create two security zones named: INTERNAL_ZONE and EXTERNAL_ZONE

• Create access list 150 that permits all IP traffic from LONDON's LAN to any destination

• Create the INTERNAL_CMAP class map of type inspect that matches all statements of the class map, inside the class map define the match to access list 150

• Define the IN_2_OUT_PMAP policy map, and define it to use the INTERNAL_CMAP class map and to inspect

• Define the IN_2_OUT_ZP zone pair with INTERNAL_ZONE as the source and EXTERNAL_ZONE as the destination, the policy of the pair should be to inspect the IN_2_OUT_PMAP

• Define the interface S0/0/0 as part of the EXTERNAL_ZONE and interface Fa0/0 as part of the INTERNAL_ZONE

Question 4. In your report, explain the purpose of this configuration. Provide evidence that the firewall is working correctly, which devices should be able to communicate between them, which shouldn't and why?

Step 6 - Configure IPS on GERMANY

• Create a directory in flash named IPSDIR
• Configure the IPS signature storage location to the new directory
• Create an IPS roule named IOSIPS
• Configure the IPS so only the basic category is used
• Apply the rule to the outbound direction of interface S0/0/1
• Un-retire the echo request signature (signature 2004, subsig ID 0), enable it and change the signature action to alert, and drop

Question 5. In your report, explain the purpose of this configuration. Provide evidence that the IPS is working correctly, which devices should be able to communicate between them, which shouldn't and why?

Part 3 - Configure a Site-to-Site VPN between LONDON and GERMANY

• Configure the following VPN settings:

o Set the VPN to be from LONDON's int s0/0/0 to GERMANY's int s0/0/0
o Use the following parameters for ISAKMP Phase 1 policy

o The interesting traffic in LONDON is the IP traffic from its LAN to GERMANY's LAN, and the interesting traffic in GERMANY is the IP traffic
from its LAN to LONDON's LAN
o Use the following parameters for IPSEC Phase 2 policy

Question 6. In your report, explain the purpose of this configuration. Provide evidence that the VPN is working correctly, which devices should be able to use the VPN, which shouldn't and why?

Part 4 -Secure Network Switches

Step 1 - Configure IP address to the management VLAN

• Make VLAN 100 the management VLAN and assign the IP address. It is not necessary to configure a name to VLAN 100
• Configure the default gateway in all switches

Step 2 - Configure Passwords and a login Banner on Switches

• Configure the hostname of all switches
• Configure the enable secret password of class
• Configure the console line with a password of cisco
• Configure the vty ports with a password of cisco with an exec-timeout of 5 minutes
• Configure a the login banner: Unauthorised access prohibited

Step 3 - Secure Trunk Ports

• Configure port Gig1/2 on SL1 as a trunk port
• Configure port Gig1/2 on SL2 as a trunk port
• Configure the native vlan to be 99. It is not necessary to configure a name to VLAN 99
• Prevent the use of DTP on the trunking ports of SL1 and SL2
• Enable storm control for broadcasts with a 50% suppression level in all trunking ports

Question 7. In your report, provide evidence that the trunking ports are working correctly and that trunking is enabled.

Step 4 - Secure Access Ports

• On SL1, configure ports Fa0/1 and Gig1/1 as access mode for VLAN 100
• On SL2, configure ports Fa0/10 as access mode for VLAN 100
• On SG, configure ports Gig1/1 and Fa0/21 as access mode for VLAN 100

Question 8. In your report, show that there is internal connectivity between the devices of each LAN.

Step 5 - Protect against STP Attacks

• Enable PortFast on all ports that have been defined as access ports
• Enable BPDU guard

Step 6 - Configure Port Security and Disable Unused Ports

• Configure basic port security on all ports that have been defined as access ports: set maximum MAC addresses to 1 and on violation shutdown the interface, the switch must learn the MAC address of the device that is already connected in that port
• Disable unused ports on all switches

Question 9. In your report, provide evidence that port security is working correctly. Explain how would you test the correct functionality of port security.