Final Scenarios

The DHC group is continuing to expand operations in North America and you have been assigned the implementation of the networks supporting the facility in Miami, Florida. Figure 24-1 depicts the current configuration of the DHC enterprise network. The offices in New York, Chicago, and San Francisco are established; and Miami is your configuration responsibility.

Figure 24-1. DHC Enterprise Network

[View full size image]

Figure 24-1. DHC Enterprise Network

[View full size image]

This is your first assignment as team leader, and you want to be sure that you have completed all the implementation steps and verified the results. You have several key tasks to complete; however, the overall result is that the facility must provide Internet connectivity to the users, secure connectivity with the New York headquarters, and remote connectivity for several users that occupy a branch office in Daytona Beach, Florida. You have studied DHC's security policies and the current configuration of the network and have identified the following tasks that must be completed to add Miami to the DHC enterprise network:

Step 1. Configure Cisco Secure Access Control Server (Cisco Secure ACS) to provide AAA services.

a. Install Cisco Secure ACS for Microsoft Windows Server.

b. Configure Cisco Secure ACS for Windows Server database for authentication.

c. Configure the router to authenticate to the Cisco Secure ACS for Windows Server database.

Step 2. Configure and secure the perimeter router.

a. Change all administrative access to the Miami routers.

b. Configure local database authentication using authentication, authorization, and accounting (AAA).

c. Configure a secure method for remote access of the routers. Step 3. Configure 802.1x port-based authentication on a Catalyst 2950 switch.

a. Enable 802.1x authentication.

b. Configure the switch-to-RADIUS server communication.

c. Enable periodic re-authentication.

d. Manually re-authenticate a client connected to a port.

e. Change the quiet period.

f. Change the switch-to-client retransmission period.

g. Set the switch-to-client frame-retransmission number.

h. Enable multiple hosts.

i. Reset the 802.1x configuration to the default values.

j. Display the 802.1x statistics and status. Step 4. Configure network switches and routers to mitigate Layer 2 attacks.

a. Mitigate the content-addressable memory (CAM) table overflow attack.

b. Mitigate virtual LAN (VLAN) hopping attacks.

c. Prevent Spanning Tree Protocol manipulation.

d. Mitigate Media Access Control (MAC) spoofing attacks.

e. Defend private VLANs.

f. Mitigate Dynamic Host Configuration Protocol (DHCP) starvation attacks. Step 5. Configure Protected Extensible Authentication Protocol (PEAP) with Cisco Secure ACS.

a. Obtain a certificate for the Cisco Secure ACS.

b. Identify additional certification authorities (CAs) that the Cisco Secure ACS should trust.

c. Configure the PEAP settings.

d. Specify the access device.

e. Configure the external user database.

f. Restart the service.

Step 6. Prepare the network for IPsec using preshared keys.

a. Establish a common convention for connectivity between locations.

b. Configure initial setup of the router and verify connectivity.

c. Prepare for Internet Key Exchange (IKE) and IPsec.

d. Define the preshared keys. Step 7. Configure IKE using preshared keys.

a. Enable IKE.

b. Create the IKE policy.

c. Configure the preshared key.

d. Verify the IKE configuration. Step 8. Configure IPsec using preshared keys.

a. Configure transform sets and security association (SA) parameters.

b. Configure crypto access control lists (ACLs).

c. Configure crypto maps.

d. Apply the crypto map to an interface. Step 9. Configure IKE and IPsec on a Cisco router.

a. Enable IKE/ISAKMP.

b. Create an IKE policy to use Rivest, Shamir, and Adelman (RSA) signatures.

c. Configure transform sets and SA parameters.

d. Configure crypto ACL.

e. Configure crypto maps.

f. Apply the crypto map to an interface. Step 10. Prepare the network for IPsec using digital certificates.

a. Configure initial setup of the router and verify connectivity.

b. Prepare for IKE and IPsec.

c. Configure CA support.

Step 11. Test and verify IPsec CA configuration.

a. Display IKE policies.

b. Display transform Sets.

c. Display configured crypto maps.

d. Display the current state of IPsec SAs.

e. Clear any existing SAs.

f. Enable debug output for IPsec events.

g. Enable debug output for ISAKMP events.

h. Observe the IKE and IPsec debug outputs.

i. Verify IKE and IPsec SAs.

j. Ensure encryption is working. Step 12. Configure authentication proxy on the Miami router.

a. Verify initial router configuration.

b. Configure Cisco Secure ACS.

c. Configure AAA.

d. Configure authentication proxy.

e. Test and verify configuration.

Step 13. Configure Content-Based Access Control (CBAC) on the Miami router.

a. Verify initial router configuration.

b. Configure logging and audit trails.

c. Define inspection rules and ACLs.

d. Apply inspection rules and ACLs.

e. Test and verify CBAC. Step 14. Configure the Miami router with the Cisco IOS Intrusion Protection System (IPS).

a. Verify initial router configuration.

b. Initialize IPS on the router.

c. Disable and exclude signatures.

d. Create and apply audit rules.

e. Verify the IPS router's configuration.

f. Generate a test message.

Step 15. Verify and monitor the Miami router with IPS using SDM.

a. Enable IPS SDEE.

b. Configure SDF locations c. Show IPS SDEE status. Step 16. Configure Easy VPN Server.

a. Verify initial router configuration.

b. Prepare a perimeter router for the Easy VPN Server.

c. Enable policy lookup via AAA.

d. Create an ISAKMP policy for remote client access.

e. Define group policy information for a mode configuration push.

f. Create a transform set.

g. Create a dynamic crypto map.

h. Apply mode configuration to the dynamic crypto map.

i. Apply a dynamic crypto map to the router interface. Step 17. Configure Easy VPN Remote.

a. Install the Cisco VPN client 3.x.

b. Create a new connection entry.

c. Launch the Cisco VPN client.

d. Test the remote-access connection.

e. Configure extended authentication.

f. Test extended authentication.



0 0

Post a comment