Published 6月 11, 2018 by with 0 comment

CCNP-ISCW-v5.0 Lab 5-3: Disabling Unneeded Services


Lab5-3.net file for Dynamips:

##################################################
#
# CCNP Version 5.0: Implementing Secure Converged Wide-Area Networks
# Lab 5.3 Disabling Unneeded Services
# By Happy Peter  http://blog.xuite.net/juilin77/happy
#
##################################################

autostart=false
[localhost:7200]
 workingdir = /opt/dynamips/dynagen-0.10.1/UTS/CCNP2/Lab5-3/workingconfig

[[3725]]
# Specify 3725 IOS image on Linux here:
 image = /opt/dynamips/images/c3725-ad.bin
 ram = 256
 idlepc =0x60bf8d58
 mmap = true
 ghostios = true
 confreg = 0x2102

###########################
#
# Define router instances 1
#
###########################
 
[[Router R1]]
 model = 3725
 console = 2001

Objectives
‧ Identify and disable unneeded and insecure services on a router
‧ Enable TCP keepalives


Scenario:
In this lab, you will disable unneeded services on a router.


Basic Configuration:
enable
configure terminal
!
no ip domain lookup
!
line console 0
 logging synchronous
 exec-timeout 0 0
!
host R*


Step 1: Configure the Physical Interface
Because this lab uses only one router, you will simulate an active FastEthernet connection by activating the interface and applying the "no keepalive" command to initiate an “always up” state, regardless of the existence of a device at the remote end.
R1:
interface fastEthernet 0/0
 ip address 192.168.10.1 255.255.255.0
 no keepalive
 no shutdown


Step 2: Ensure Services Are Disabled
At the privileged EXEC prompt, issue the auto secure command to start AutoSecure. You may notice that this command is hidden from the Cisco IOS in-line help system.
R1:
no ip finger
!
no service udp-small-servers
!
no service tcp-small-servers


Step 3: Manage Router Access
Enabling TCP keep alives causes the router to generate periodic keep alive messages, letting it detect and drop broken Telnet connections. This frees up hung telnet sessions.
R1:
service tcp-keepalives-in
!
service tcp-keepalives-out


Step 4: Disable CDP
R1:
no cdp run


Step 5: Disable Other Unused Services
R1:
no service pad
!
no ip bootp server
!
no ip http server
!
no ip source-route
!
no ip gratuitous-arps


Step 6: Disabling Unneeded Interface Services
R1:
interface fastEthernet 0/0
 no ip redirects
 no ip proxy-arp
 no ip unreachables
 no ip directed-broadcast
 no ip mask-reply
 no mop enabled

Final Configurations
R1:
hostname R1
!
no ip source-route
no ip gratuitous-arps
!
no ip bootp server
no ip domain lookup
!
interface FastEthernet0/0
 ip address 192.168.10.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no keepalive
 no mop enabled
!
no ip http server
no ip http secure-server
!
no cdp run
!
line con 0
 exec-timeout 0 0
 logging synchronous
!
end


Reference:
Cisco Networking Academy
http://www.cisco.com/web/learning/netacad/index.html

CCNP Version 5.0: Implementing Secure Converged Wide-Area Networks
Student Lab Manual


最初發表 / 最後更新: 2008.10.03 / 2018.06.11

0 comments:

張貼留言