Internetwork Expert Volume II: Lab 3 – Section 11

Section 11 – IP Services – 4 Points

11.1 Local Authorization

Set r2’s default privilege level to 0 for telnet users.  Allow them to also ping and traceroute. If they need level 1 access, then have them authenticate with the password CISCO prior to being given access.

This is easy except for that last bit.  I couldn’t get my head around it.  Turns out that this was easy as well, you just need to set the privilege level for the enable password:

r2(config)#enable secret level 1CISCO

r2#sh privilege
Current privilege level is 15
r2#disable 0
r4>?
Exec commands:
  <1-99>      Session number to resume
  disable     Turn off privileged commands
  enable      Turn on privileged commands
  exit        Exit from the EXEC
  help        Description of the interactive help system
  logout      Exit from the EXEC
  ping        Send echo messages
  traceroute  Trace route to destination

Normal commands available at privilege level 0:

r4#disa 0
r4>?
Exec commands:
  call     Voice call
  disable  Turn off privileged commands
  enable   Turn on privileged commands
  exit     Exit from the EXEC
  help     Description of the interactive help system
  logout   Exit from the EXEC

r4>

I could not get the “CISCO” password to work.

r2#sh run | i enabl
enable secret level 1 5 $1$2rnn$RVQJmvNqbzBPxtZhsm7Ga0
enable password cisco

I tried to use a ‘non-secret’ method, but the IOS cried “foul”:

r2(config)#enable pass level 1 CISCO
% Converting to a secret.  Please use “enable secret” in the future.

r2(config)#do sh run | i enable
enable secret level 1 5 $1$smcE$u7rQfwYvoPYAtd7.d38qO/
enable password cisco

Hmmmm….I telnetted in and found that I needed to specify level 1 and it worked:

r2>enable 1
Password: CISCO
r2>sh privi
Current privilege level is 1
r2>?
Exec commands:
  <1-99>           Session number to resume
  access-enable    Create a temporary Access-List entry
  access-profile   Apply user-profile to interface
  clear            Reset functions
  connect          Open a terminal connection
  crypto           Encryption related commands.
  disable          Turn off privileged commands
  disconnect       Disconnect an existing network connection
  dot11            IEEE 802.11 commands
  enable           Turn on privileged commands
  exit             Exit from the EXEC
  help             Description of the interactive help system
  lat              Open a lat connection
  lock             Lock the terminal
  login            Log in as a particular user
—output truncated—-

11.2 Local Authorization

Set up NOC users to telnet to r5 at privilege level 1, but allow them to be able to “turn on and disable RIP debugging”.

IE just set up level 1 with the ability to debug ip rip and then stop all debugs:

privilege exec level 1 debug ip rip
privilege exec level 1 undebug all

r5#ena 1
r5>debug ip ?
  rip  RIP protocol transactions

What’s odd is that the IOS added a few more privileges (including the dread “debug all”

r5(config)#do sh run | i privilege exec
privilege exec level 1 undebug ip rip
privilege exec level 1 undebug ip
privilege exec level 1 undebug all
privilege exec level 1 undebug
privilege exec level 1 debug ip rip
privilege exec level 1 debug ip
privilege exec level 1 debug all  <-yikes
privilege exec level 1 debug

r5>debug all

This may severely impact network performance. Continue? (yes/[no]):

I guess that we are to assume that only the NOC will be telnetting to the device:

r2#telnet 150.1.5.5
Trying 150.1.5.5 … Open

User Access Verification

Password:
r5>sh privi
Current privilege level is 1

Internetwork Expert Volume II: Lab 3 – Section 10

Section 10 – System Management – 6 Points

10.1  IOS Management

Configure r4 to be managed via HTTP:

Use TCP port 8080
Only permit access from the 136.1.2.0/24 subnet
Authenticate users using local username WEB and the password CISCO
This password should be stored in the router’s configuration as an MD5 hash.

ip http server

r4(config)#username WEB secretCISCO
r4(config)#do sh run | i access-list|ip http|username WEB
username WEB secret 5 $1$lzG6$LoWdN/bOqK9kZtQZZieV//
ip http server
ip http port 8080
ip http access-class 69
ip http authentication local
!
access-list 69 permit 136.1.2.0 0.0.0.255

Cool verification: 

r4#sh ip http server status
HTTP server status: Enabled
HTTP server port: 8080
HTTP server authentication method: local
HTTP server access class: 69
HTTP server base path:
Maximum number of concurrent server connections allowed: 5
Server idle time-out: 180 seconds
Server life time-out: 180 seconds
Maximum number of requests allowed on a connection: 1
HTTP server active session modules: ALL
HTTP secure server capability: Present
HTTP secure server status: Disabled
HTTP secure server port: 443
HTTP secure server ciphersuite: 3des-ede-cbc-sha des-cbc-sha rc4-128-md5 rc4-128-sha
HTTP secure server client authentication: Disabled
HTTP secure server trustpoint:
HTTP secure server active session modules: ALL

10.2 File Management

Okay, this question completely mindfucked me.  Definitely read the breakdown on this task.  It combines an interesting bit of ROMMON magic with a neat trick with the alias command. 

10.3 Autoinstall

Autoinstall….another one of the technologies that I haven’t gotten around to playing with yet.  Another skipped task.    I did print out the PDF of the following page (all 54 pages ) and will review it later:

Using AutoInstall to Remotely Configure Cisco Networking Devices

Internetwork Expert Volume II: Lab 3 – Section 9

Section 9 – Security - 6 Points

9.1  Traffic Filtering

“Configure r6 so that it only allows TCP, UDP, and ICMP traffic in from BB1 if it was originated from behind R6.”

“Ensure that users behind r6 can still traceroute to hosts beyond the Frame Relay cloud.”

Confusing wording, but I think that it means that you need to filter traffic from BB1 so that it only allows TCP, UDP, and ICMP responses from devices behind r6 – but not r6.  This sounds like a reflexive ACL.

This is the type of task that I would probably skip in the actual lab.  I really don’t want to fuck up my connection to a backbone router to get 3 points in Security.  There’s an excellent breakdown for this task.  I’d still skip it though. 

9.2 DOS Prevention

Argh!!!  I am SO weak in Security.

“…configure r4 to send a TCP reset to the webserver (136.1.4.100) for any TCP sessions that fail to reach the established state after 15 seconds.”

All I’m sure of in this task is that I’m going to be configuring fa0/0 on r4.

A quick look through the 12.4 Security Configuration Guide yields this document:

Configuring TCP Intercept (Preventing Denial-of-Service Attacks)

It looks like I need an ACL for traffic to the server:

r4(config)#access-list 192 perm tcp any host 136.1.4.100

Then it’s just a matter of picking the correct configuration items:

r4(config)#ip tcp intercept ?
  connection-timeout  Specify timeout for connection info
  drop-mode           Specify incomplete connection drop mode
  finrst-timeout      Specify timeout for FIN/RST
  list                Specify access-list to use
  max-incomplete      Specify maximum number of incomplete connections before
                      clamping
  mode                Specify intercepting mode
  one-minute          Specify one-minute-sample watermarks for clamping
  watch-timeout       Specify timeout for incomplete connections in watch mode

The task asks us to send a TCP reset, so that decides the TCP intercept mode that we will use:

The TCP intercept can operate in either active intercept mode or passive watch mode. The default is intercept mode.

In intercept mode, the software actively intercepts each incoming connection request (SYN) and responds on behalf of the server with an SYN-ACK, then waits for an ACK from the client. When that ACK is received, the original SYN is sent to the server and the software performs a three-way handshake with the server. When this is complete, the two half-connections are joined.

In watch mode, connection requests are allowed to pass through the router to the server but are watched until they become established. If they fail to become established within 30 seconds (configurable with the ip tcp intercept watch-timeout command), the software sends a Reset to the server to clear up its state.

r4(config)#ip tcp intercept mode ?
  intercept  Intercept connections
  watch      Watch connections

r4(config)#do sh run | i list 192|ip tcp
ip tcp intercept list 192
ip tcp intercept watch-timeout 15
ip tcp intercept mode watch
!
access-list 192 permit tcp any host 136.1.4.100