Task 4 Assessment 1: Modelo T&T Network Security Configurations

Addressing Table

Addressing Table

Objective

This is the supplementary activity for Task 4 of Assessment 1 of CIS098-2.

Background

You will be provided with a Packet Tracer activity that is a simulation of the Modelo T&T Network and asked to carry out some key security configurations to model a more secure design for the company. The Packet Tracer activity will ‘score’ your attempt (and you can click ‘show incomplete items’ to see what you have correct and still to do). Please note this score is INDICATIVE but may
not be exactly the score you will get for this section – an instructor will still look at your configuration. You will need to submit your packet tracer file with your technical report. 50% of this assignment mark will be for the PT grade and 10% for demonstrating testing and connectivity and providing configuration outputs. [Please note: the PT file already has been configured with some information (to save you time) – do not restart/erase the devices. Also (as a side note) there is a unique serial number that is created when you open the PT file – hint: do not copy someone else’s PT file – we will know! If you could also add your student details as the USER details when you first open the Packet Tracer that also would help identify your work.

4.1. Intermediary device hardening – 20 points

a. Configure basic security on the main access layer switch with the following:

Switch name: Switch1-Cab1
Console password: modelo
VTY password: modelo
Enable mode (secret) password: modelosecure
Banner: Authorised Access Only

b. Configure basic security on the gateway router with the following:

Router name: Router1-Cab1
Console password: modelo
VTY password: modelo
Enable mode (secret) password: modelosecure
Banner: Authorised Access Only

4.2. Securing Remote Access to the Router (SSH) – 5 points

Add improved authentication on the router so that when someone tries to log in remotely via the vty 0 4 lines they are asked for a username and password. The configuration details are given below:

Domain name: Modelo
Username: Admin (privilege level 15) password Adminpass
Username: Tech (privilege level 3) password Techpass
Generate an RSA key 1024
On VTY lines restrict remote access to SSH connections only,
requiring a local login

4.3. Configure Vlans on Switch 1-Cab1 – 20 points

a. Add the following Vlans to Switch 1

Vlan 10 name Admin
Vlan 20 name Doctors
Vlan 30 name Blood 

b. Name the Vlans to match the Addressing Table

Objective

c. Configure the switch interfaces to be in switchport mode access and to be in the appropriate vlans on the switch i.e.

Int fa0/1-2 belongs to Vlan 10
Int fa0/3-4 belongs to Vlan 20
Int fa0/5-8 belongs to Vlan 30

d. Important: shutdown all fast ethernet ports that are NOT in use

Go onto the interface range fa0/9-23
Shutdown all the interfaces

4.4. Confirm DHCP is working and test basic connectivity between hosts – 5 points

 
On each PC examine the Desktop – IP configuration and check that they are turned to DHCP and that they have been assigned an IP address from the correct network. VLANs

Vlan 10 - Admin - 192.168.1.0/24
Vlan 20 - Doctors - 192.168.2.0/24
Vlan 30 - Blood - 192.168.3.0/24

Connectivity Table

Make a ‘testing plan/table’ and conduct a connectivity test throughout the network to check that every device can ping one another and reach the internal file and web server on 192.168.4.2 (hint: make sure to use the correct connectivity tests when performing these checks), and the external hospitals on 201.201.201.2 and 202.202.202.2 and the ‘internet’ on 100.100.100.1 Document this testing in your technical report – if you take pictures of the devices pinging please make sure you can see the name of the device is visible in the top of the snip. 

4.5. Configure Port Security – 10 marks

The Doctor’s Office needs extra security to make sure that the switch ports in that room are not used by unknown devices. Access the command line for Switch1-Cab1 and enable port security on Fast Ethernet ports 0/3 and 0/4

• Go onto the interface range fa0/3-4
• Enable switchport port-security
• Set the port-security maximum so that only one device can access each of the Fast Ethernet ports 0/3 and 0/4
• Secure the ports so that the MAC address of a device is dynamically learned and added to the running configuration (using the ‘macaddress sticky’ command)
• Set the violation mode to ‘restrict’ so that the Fast Ethernet ports 0/3 and 0/4 are not disabled when a violation occurs, but a notification of the security violation is generated and packets from the unknown source are dropped.

4.6. Wi-Fi Configuration and Security – 5 marks

Note: You can do this configuration directly on the Wi-Fi router, rather than needing to access it via a computer (just double click the device and chose GUI)

a. Configure the Basic Setup of the Wireless Router as follows

Leave the Internet IP address as it is
Under Network Set-up
Router IP Address: 192.168.5.3
Subnet Mask 255.255.255.0
Save setting

b. DHCP Settings

DHCP start IP address: 192.168.5.100
Save settings

c. Wireless Settings

SSID: ModeloCafe
Standard Channel: 1 – 2.412Ghz
Save settings

d. Wireless Security

Security Mode: WPA2 Personal
Encryption: AES
Password: Cafeteria

e. Connecting Wireless Devices

Connect Laptop1 to the Wi-Fi Router from the PC Wireless settings.
From the command prompt
Ping 100.100.100.1 (the internet)
Ping 192.168.1.3 (PC1)

Both pings should be successful

Add to your technical report a screenshot showing this
Connect Laptop2 to the Wi-Fi router
From the command prompt ping Laptop1
Add to your technical report a screenshot showing a successful ping

4.7. Access-control-lists – 10 marks

The Secretaries access should be limited to the internet, the cafe and the file/webserver and access to the Doctors and Microbiologists computers needs to be blocked.

a. On Router 1
Configure an extended access control list 101 That:

• Denys, on any ip protocol, the Secretaries network 192.168.1.0 255.255.255.0 access to the Doctors Network 192.168.2.0 255.255.255.0
• Denys, on any ip protocol, the Secretaries network 192.168.1.0 255.255.255.0 access to the Blood Test Network 192.168.3.0
255.255.255.0
• Allows all other traffic

b. Apply the ACL to the Interface

Add the command to apply this extended access control list on R1’s Gi0/2.1 interface in the in direction.

4.8. Configure Protocols – 15 marks

a. Configure OSPF on all Routers

Configure process ID of 1
Configure area of 0

 b. Configure CDP on all Routers

Configure CDP on Switch 1 

4.9. Documentation of your configuration – 10 marks

In your technical document please include the following: A screenshot of your packet tracer showing the % score (and network diagram in the background) From the router – issue the following commands and copy and paste the results to the technical
report

Show run
Show ip int br
Show ip access-list
Show ip Protocols
Show ip ospf neighbor detail
Show cdp neighbors

From the Switch – issue the following commands and copy and paste the results to the technical report
Show run
Show vlan
Show port-security
Show cdp neighbors 

Submit your completed Packet Tracer file along with your Technical Document via the Assignment 1 BREO link by the stated deadline. Make sure to name your two files as StudentID.pka and StudentID.docx, e.g. a student with ID 12345678 will name their files as
12345678.ext where ext can be pka, docx, pdf, or odt. 5 marks will be deducted if the naming convention is not followed.