Section 10: Security (10 Points)

Previous page
Table of content
Next page

  • Configure R3 to be managed by http with password access of cisco for username and cisco for the password.

You can manage a router via http as the command ip http server is enabled by default; to add local password access, use the command ip http authentication local, and then configure a username and password on the router both to cisco. Figure 3-15 shows the Password screen when attempting to access R3 by HTTP. If you configured this correctly as shown in Example 3-92, you have scored 2 points.

Example 3-92. 1R3 HTTP Access
 username cisco password 0 cisco ! ip http authentication local

Figure 3-15. R3 HTTP Access


  • It is suspected that your network is being threatened by a W32.Blaster virus. You have been told that the virus is manipulating port 135, 139, and 445 and that it is attempting to enter your network from VLAN1. Configure R2 to block the virus entering the rest of your network and to provide as much detail at Layer 2 and 3 as to which devices might be initiating the attack. The worm will also attempt to send packets to random IP addresses, which do not exist. When this happens, the router will reply with an ICMP message. Configure R2 not to send this ICMP message.

You need to configure an access list to block port 135, 139, and 445 on R2 FastEthernet0/0. Because you have not been told if this is TCP or UDP, you must block both. To provide the detailed information, you are required to enable logging and use the log-input command at the end of your access list. Doing so will provide both MAC and IP address details of any device that matches the list on VLAN2. If an IP address is targeted that does not exist, the router will send an ICMP unreachable message, which will increase CPU resource activity. To stop this, you are required to configure no ip unreachables under interface FastEthernet0/0.

Although you have only been requested to block the virus from entering your network, it is good practice to also stop it from leaving your network so you are not responsible for spreading the virus if your network does become infected. If you have configured this correctly as shown in Example 3-93, you have scored 3 points. If you have only configured the ACL inbound on R2 and not also outbound, you have only scored 2 points.

Example 3-93. R2 Virus Protection Configuration
 logging buffered ! interface FastEthernet0/0   ip address 172.16.0.1 255.255.0.0   ip access-group 115 in   ip access-group 115 out   no ip unreachables ! access-list 115 deny tcp any any eq 135 log-input access-list 115 deny udp any any eq 135 log-input access-list 115 deny tcp any any eq 139 log-input access-list 115 deny udp any any eq 139 log-input access-list 115 deny tcp any any eq 445 log-input access-list 115 deny udp any any eq 445 log-input access-list 115 permit ip any any



Previous page
Table of content
Next page
CCIE Routing and Switching Practice Labs
CCIE Routing and Switching Practice Labs
ISBN: 1587051478
EAN: 2147483647
Year: 2006
Pages: 268
Authors: Martin J. Duggan, Maurilio P. Gorito
BUY ON AMAZON
Java I/O
Certified Ethical Hacker Exam Prep
Network Security Architectures
File System Forensic Analysis
Lean Six Sigma for Service : How to Use Lean Speed and Six Sigma Quality to Improve Services and Transactions
Python Standard Library (Nutshell Handbooks) with
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy