16.5.2 Lab - Secure Network Devices

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
secure network devices build this topology PC switch 2960 2960 router r1 and will be 4321 router in connect from gigabit 0:01 rather to switch as well office identified from four thousand six to pca this is pca this is as one and this is rather are one the addressing table router gigabit 0 0 1 1 81 68 1 1 so that mask 255 255 255 0 switch as well on belong 1 1 8 160 a 111 255 255 255 0 default gateway 1 the PCIe IP others 3 subnet mask and default gateway 1 it is recommended that all network device has been configured with at least a minimum set of best practice security comments this includes and user devices servers and network devices such as routers and switches required resources from real loved one router 4221 one switch 2960 1 bc control cable settlement cables configure basic device settings set up the network topology already cabled the network ready initializing allow the router and switch ok on real lab you need to erase the contents of the router or switch ok on our owner Wow [Music] you raise the startup-config honest one he erased stirrup comfy and delet belong database configure the router or switch also into the device and enabled privilege exit modes okay use a console cable from PCA for example from port rs-232 to port consult port over 1 then go to PC a desktop turbinado ok enter would you like to enter initial configuration dialog no no editor enter your user exit mouth go to privileged exec mode with enable carpet enabled enter now you are on pillage exit mode device name okay r1 but you need to go to global configuration mode using the configure terminal comment once you are on double configuration mode hostname or 1 disable the inertial cap no IP the may look up and ok disable DNS lookup to prevent the router from attempting to translate incorrectly and read comments as though they were first names assign class is the privilege exit encrypted password they will see correct class assign Cisco's the console password enable logging line console 0 you are on line configuration mode and password Cisco and don't forget to use the log in common to enable the that password science is cause the vty password hang enable logging okay like also BTY built one terminal line vty 0 to 15 password cisco logging ok great the banner warns anyone accessing the device that you know who know the rice that access is prohibited that you are online configuration mode exit now you are on global configuration mode and set the banner banner message of the day and the message he beat you can use any message not the rice now the rice announces is raw other computer and activate gigabit 0:01 interface on the router ok go to a dressing table and this is the IP others gigabit zero zero one in the facing of material zero one you are on interface corporation box and set the IP others when i to 160 a 1-1 subnet mask 255 255 255 0 90 161 subnet mask i enable the interface with no shutdown the common variable and computer data found switch meter interface on the switch ok I am configuring the router now so save the running configuration to the asteroid configuration file ok to do this go to from interface configuration mode go to tribulation XML with and comment and now you are privileged exit mode and say the changes using copy running-config to coffee enter enter very good and don't forget to confuse the switch okay change the console to the switch console go to PCI Klosterman are applying again terminal okay enter enable and configure terminal or name x1 no IP the main cup hey first name no IP the main look up privileged access encrypted password enable secret class console vty passwords line console 0 pass fault Cisco long line vty 0 drifting was what Cisco logging exit banner message of the day use this default SBI on the switch with the IP address and subnet mask use this switch belong one interface okay you are on global configuration mode the access interface belong one trade belong one the face will have one enter you are on interface configuration mode and set the IP address IP address when I to 160 a 111 to 85 85 85 okay enable the interface with no shutdown comment exit from interface configuration mode to global configuration mode and he reset the default gateway the forget way is this 182 and 68 1 1 AP default get worried tonight to 168 1 save the running of iteration to the startup configuration ok go from global configuration mode with exit comment to privileged axial mode for P convict to startup coffee enter other very good configure PCA IPL subnet mask default gateway a PCA ok is this and close the terminal go to IP configuration 192 168 1 3 2 men last 24 the for valuing 8 2016 8 1 1 very good close this verify network connectivity being her one and as one from PCA ok go to PC a common proms pink r1 r1 IP others is 182 and 68 1 192 168 1 1 enter success switch 1 1111 and success of your basic security measures on the router configure security measures change the console to the router because you would configure the router okay rather go to PC a close command prompt open terminal ok enter and configure terminal to go in a global configuration mode and encrypt all clear text passwords this common use service password encryption computer the system to require a minimum of 12 character password security passwords minimum length Ming length 12 now set the appropriate exit password to this create this strong password current character Cisco character PR may be in character be careful enable secret this character Cisco this character trip discount okay very nice one two three four five six seven eight nine ten eleven twelve twelve characters okay other console password use this line console 0 password this character Cisco character character call this current they enter one two three four five six seven eight nine ten eleven twelve very good okay login comment I already said vty line password this another strong password line vty 0 to 15 password is PTY ok he's corrupt Cisco Carter Carter BTY and discovered them ok very good configure the router to accept only SSH connections from remote locations configure the username SSH admin sensitive with an encrypted password of Wi-Fi h TM character and 20/20 ok you are online configuration mode exit to go global configuration mode and set the username use SSH admin case sensitive encrypted password so use the secret this is encrypted the keyword for encrypted password and the password will be this ok 5/5 h-hey the this character and Tony Tony ok case sensitive be careful this is a strong password and be careful by Phi H the character and 2020 and the routers domain name CCNA - lab calm may be the main - name CCNA enter the key modules should be 1024 bits okay three key right I would say general keys in the keys multi lose 1024 okay enter very good very very good but don't forget to set only SSH so accessibility white lines line vty 0 to 50 and accept only ssh transport input SSH okay and don't forget to use the local username the local username configurate on the router for the SSH access or use the login comments law logging the local way to use the local database to authenticate the user ok that's it you are on global configuration mode set security best practice configurations on the console and BT wide lines users should be disconnected after five minutes of inactivity a for example go to the line console 0 ok and exag sorry I'm out exit - timeout 5 minutes 0 seconds and go to the line vty line bit away from 0 to 15 and apply the same common exact time out of 5 minutes 0 seconds and then they exit and you are on global configuration 1 and the router should not allow vdy logins for 2 minutes if refile it logging sometimes occur within 1 minute ok log in Lord - 4 ok 2 minutes okay not a BTY logins for 2 minutes 2 minutes is 120 120 seconds three failed attempts three within one minute within 60 seconds ok this is one minute under configure security measures verify that all intercept ports are disabled rubber ports are disabled by default with this harvest period and to purify that already supports are in administrative lead our state this can be quickly checkered by issue and the show IP interface brief comment and use it for that are not in the administrative lead down state should be disabled using the shutdown common interface configuration they are one you are on global configuration mode exit and enter and on privileged access mode use show IP interface brief enter 10 gigabit zero zero and gigabit zero one okay gigabit zero zero zero administratively down gigabit zero zero one are studies out protocol verify that your security measures have been implemented correctly use the RAM on PCI to tell that two or one okay close this remember you are on PCI this is PCIe close the terminal and just come on prompt try to tell that our one hour one hour one IP address is wanted to 160 a 1-1 a connection close it or instead of using teraterm on real lab you can use close this okay tracer you can use this telnet SSH client you still net protocol and the IP address when I to and 61 connect yes just know it's not connecting those hard waters at the talent connection explain no the connection is refusing tell that was disabled by the transport impede a cessation comment you start them on PC 8 - SSH - r1 ok in common problems you can use this ok using this application of this application or pocket razor click here SSH first name is 180 160 a11 the user name remember what was the user right this sshi admin k sensitive okay SSH connect and the password use this password ok be careful 5 5 page hey the this character and 2020 okay be careful very good unauthorized access is prohibited is the banner you are on user at the moment those are one except the SSH connection yes okay another way to do this okay close this no close this yes on command prompt you can do the following a society of show L option L is not one is L the IPR the username remember the username is this as I say to add me case ICT and the IP address of the server 192 168 1 1 the server is the router then the IP address of the router and and use this password five five page hey Dee the character hang 20 20 and very good very good our one prompt intentionally mistype the user and password information to see if logging access is blocked after two attempts okay exit try to access using a society a society option L this is the username as SH add me and IP address of the router enter and use any other password one two three four five bedroom again one two three any other number other today what happened after you fail it to logging the second time okay I think this should be intentionally please type the user password information to see if login access is blocked after three attempts and the question should be what happen after you file it to login the field time because you configure it to block for two minutes if three failed login attempts oh cool within one minute so you need to fail three times okay three failed login attempts so here it should be and after three attempts okay and try again for example as a sage optional SSH add me 180 168 1 1 and 1 2 3 4 5 fear its faith now close by close by the host trade a connection refuse it ok what's happening after you failure to login the third time the connection to our one was disconnected if you had time to reconnect with in 120 seconds the connection will be refusing ok the connection was refused him okay try a connection refused it ok so you need to wait 120 seconds for your console session the rather issues show log in common to be used a logging the status ok close command prompt go to terminal ok remember you are connected to the console of the router r1 look at this security login still time left hey the user was this SSH admin the souls was PC a 180 168 1 3 the port for SSH 22 the reason was login authentication fail okay and uses this access list by default okay after two minutes look at this minute 31 and now is made 33 after 120 seconds of two minutes security logging of white mode is off because block period time out this time okay very good and now you are able to log in again they close the terminal after the 120 seconds has pirate SSH to our one again and login using the username password okay go to command prompt try again secesh optional ssh add me as I search I think insensitive IP others 181 CCA 1 1 enter and use the password 5 5 H a the the character egg 2020 tender very good after you successfully logging what was displayed create the banner the message of the day and the privileged access mode use the enable comma to go from user action mode - British accent mode other and the password remember you configured this password for this and use it the corruptor current pr5 II and the character enter very good you are on privileged X mode if you mistype this password or you disconnected from your society session after three failed attempts within 60 seconds explain now the logging block for comment only monitors sessions logging attempts on BT white lines not for enable comment so running coffee on Bill Belichick's mode show me coffee okay remember I'm using SSH SSH okay you can see the configurations on the router okay and look at this okay [Music] username encrypted password enable secret encrypted password the login block for 120 seconds attempt 3 within 60 seconds okay and that means block the login for 120 seconds if three failed attempts occur within 60 seconds okay security password minimum length of passwords 12 characters service password and keep encryption to encrypt all these passports okay also these passwords encrypt all this control password ety passwords the banner IP configuration interface no IP domain lookup IP domain name very good configure basic security measure is on the switch okay change the control to the switch console go to PC a close command prompt and open terminal okay enter and the password remember was what was the password for switch as one with Cisco for now is cisco ok console password cisco ok cisco and enable privilege exit password class class ok very good you are on people - acts of passport encrypt or clear text passwords ok configure terminal on global configuration mode therapies password - creation enter minimum 12 character password security passwords meaning 12 ok this command is not supported by a switch pocket racer ok this command is not supported by 2960 switch on pocket ratio with our real lab and we'll work change passwords okay change all these passwords tribulus as a password in a world seek read this character Cisco this character here he be this character under control password line console 0 password use this Cisco counterculture call and description okay enter BTY line line vty 0 to 15 and password use BTY okay this character cisco collector character BTY and this code let's see okay you are on global configuration mode if you were to switch to assert only SSH connections from remote locations a configure the useful a username cases a deep SSH admin and click that password encrypted password so you secret secret this is the possible and be careful ok five five page a a deep IBM this character and 25 5 H a DM character and 20 Thunder the my name should be CCNA - lab comm take be the domain - name since he and I - lab ok enter key modulus should be 1024 beats create the key right hours [Music] the keys ball to use 1024 ok enter very good but don't forget to apply this on BT wide line okay line B device here line vty 0 15 okay remember you are global configuration line vty 0 to 15 enter you are on line configuration mode and use only ssh transport the import ssh to permit only SSH connections and use the local database for authentication and use this username and password login local ok exit from line configuration mode to global configuration mode ok best practice configuration on the console and vty lines ok 0 exact time route 5 minutes your sequence ok users should be disconnected after 5 minutes of inactivity ok at the time of immense events and for vty lines line vty 0 to 15 the same common access time of 5 minutes 0 seconds very good and exit from line configuration mode to global configuration mode now the switch should not allow logins for 2 minutes if three failed logins attempts a cool with you in one minute ok on global configuration mode login block - for 120 seconds attempts three attempts within 60 seconds enter ok the switch 2960 does not support this comment on pocket racer with real lab will work very well disable all of the you support okay web ports are use 5 & 6 so so use interface range from 1 to 4 from 47 to 24 Giga week ago week 0 1 to 0 v2 - ok 1 2 4 5 and 16 years 7 to 24 in govt tirĂ³ 1 is here to enter shutdown very good exit now you are go from interface range configuration world we use the acid comma to go global configuration one brief I already supports our disable show IP interface brief exit from global configuration mode exit and enter and go to privilege exam mode and use show IP interface brief space and now you can see all ports are administratively down status okay only five and six up start with our protocol up ok also belong one up but this is a built well metal interface not a physical interface interface range command to shut down multiple interfaces at a time ok this was here juice interface range comment take use interface range comma to shut down multiple interfaces at that time ok use this and shut down multiple interface verify all active interfaces happy administratively shut down ok was just verified using the show IP interface brief comment verify verify that your security measures have been implemented correctly verify the tunnel has been disabled on the switch ok ok close the terminal open comma prompt and enter you are on : prom or PC a command prompt the PCA and try to access use internet tell that space the IP address of the switch 192 168 1 11 connection refused it connection closed okay so tell that is not working SSH to the switch okay SSH optional the useful name is SSH admin key sensitive as a search mean sensitive and the IP address of the switch 180 168 111 he access from PCA access the switch s1 using SSH end up and use the password the password was this okay five 5h a the case has it the character and 2020 enter ok the banner and you are on as one SSH to the switch and intentionally mistype the user and password information to see if logging access is blocking ok I cannot do this okay I cannot do this because ok when when I when I configure with the switch the when I configure the switch the the logging block for command was not acceptable so I came on pocket riser I cannot test this procedure ok because the lugging block for comment was not accepted switch pocket Raisa okay after theory saccade has a spy red ssh-2 as one again and login using the username and password the banner appear after you successfully logging yes approves the banner the message of the day privileged except passwords under privileged access mode you are on user exit mode and use the enable comma to access privilege exit model but uses a password and remember this was the password be careful to enter character Cisco character PR IB and in character enter ok very good you are privileged exit mode show running config command show running - coffee and space space space and you can verify for example vty lines the exit time I five minutes encrypted password login local only as a massage lying console encrypted password logging exit time I have five minutes the banner the interface belong IP address the default gateway all when you said ports shutdown only five and six enable ports and user name for SSH no IP domain lookup the domain name enable secret common the hostname service possible encryption to encrypt or plaintext passwords reflection the password Cisco comment was entered for the console emit white lines in your basic configuration in part 1 when is this password use it after the best practice security measures have been applying this password will not be used any longer keeping for the password common still apples in the line sections of the running coffee this comment was disabled as soon as the login local command was entered for those lines are the pre-configured passwords shorter than 10 characters or 12 characters affected by the security passwords mean length 12 comments now the security passwords million comment only effects passwords that are added after this comment is issuing any pre-existing pass will remain in effect if they are changed they will need to be at least 12 characters long ok thank you very much you
Info
Channel: Christian Augusto Romero Goyzueta
Views: 11,796
Rating: undefined out of 5
Keywords: cisco, itn, introduction to networks, v7.0, version 7.0, version 7, packet tracer, router, switch, security, password, enable secret, line console, line vty, login block-for, encryption, banner
Id: 7U8ONJxqGRA
Channel Id: undefined
Length: 47min 9sec (2829 seconds)
Published: Tue Jul 14 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.