TP003 – Adding security to a wireless network and ITS access pointS
SUMMARY
PREAMBLE 2
WEP configuration 2
Router configuration 3
Access Point configuration using WEP 3
WPA configuration 6
New access point Configuration using WPA-PSK 6
Step 1 : Configure both PC clients to connect APxx using WPA. 7
Step 2 : Configure one PC client to connect APx in WEP; another PC client to connect APxx using WPA and have them both connect to the Internet. 7
(OPTION) Hardening: Configure the AcCess point device security 8
Step 1 Configure basic AP settings 8
Step 2 Configure a new administrator account 8
Step 3 Configure accurate time 9
Step 4 Configure MOTD and login banner 9
Step 5 Configure SSH 9
Step 6 Configure SSH timeouts 10
Step 7 Configure local authentication and VTY 10
Step 8 debug and verify SSH 10
Step 9 Syslog configuration 11
(OPTION) Hardening: Setting Advanced security filters 11
Step 1 Creating a MAC address filter 11
Step 2 Creating a MAC address filter 11
Step 3 Apply the MAC address filter 11
Step 4 Test the MAC address filter 12
Step 5 Remove the MAC address filter 12
Step 6 Creating an IP filter 12
Step 7 Apply the IP filter 12
PREAMBLE
è A black arrow like this one means you have to answer the question and tell the result of your research to the instructor for notation.
When a section is marked as (OPTIONAL), don’t do it immediately but only at the end of the lab if you still have time.
Adding security to your WLAN: In these labs, students will become familiar with encryption technics like WEP, WPA, aso… Some additional settings of the access points themselves will be covered in order to ensure a homogeneous security level to your LAN.
WEP configuration
Build the following configuration where your access point allows the wireless clients to connect the Internet safely.
In this aim, you will configure:
· DHCP server on router: for range 192.168.X.100 - 120
· NAT on router: dynamic NAT with overload on eth1 address
· WEP on access point for encryption
Where X is the number of your pod (paillasse).
Router configuration
è What are the configuration lines of the router entered for the interfaces definition and default routing?
è What are the configuration lines of the router entered for the DHCP definition?
è What are the configuration lines of the router entered for the NAT interfaces definition, ACL and translation?
Nota: if embarrassed by NAT, have a look on this website: http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/260-cisco-router-nat-overload.html
Access Point configuration using WEP
è What are the configuration lines of the access point entered for the BVI interface definition?
è What are the configuration lines of the access point entered for the SSID RtLPx definition in open authentication and braodcast of the SSID ?
When RTLPx SSID is defined, you have to propagate it with the two wireless radios of the access point.
Enter the following command lines to set WEP encryption on the radio with a predefined 0123456789 key.
ap> enable
ap# configure terminal
ap(conf)# hostname APxx ! where x is your pod number
APxx(conf)# interface dot11Radio0
APxx(conf-if)# ssid RTLPx ! where x is your pod number
APxx(conf-if)# channel y! use appropriate y channel
APxx(conf-if)# station-role root access-point
APxx(conf-if)# encryption key 1 size 40bit 0 0123456789 transmit-key
APxx(conf-if)# encryption mode wep mandatory
APxx(conf-if)# no shutdown
APxx(conf-if)# exit
APxx(conf)# exit
APxx# write mem
Replicate the command lines for Dot11Radio1.
Where:
· "encryption key 1" means this is the first key: you can provide up to four different keys on theses AP
· “size 40bit” means this is a 64 bits key J: it is coded on 10 hexadecimal digits
· If you list the running config, the “0 0123456789” is converted in “7 203001278912”: 0 before the key 0123456789 tells the IOS that the key is provided in clear text but needs to be stored encrypted in the configuration file. 7 means it is already encrypted and you display it using a “show run”.
· "encryption mode wep mandatory “ makes the use of WEP mandatory to talk with the AP
è What are the configuration lines to change if you want a 128bit key (26 hex digits) and the key stored in clear text in the configuration file ?
Check everything using appropriate commandson router or access point:
show running-config
show interfaces
show dot11 BSSID
show dot11 associations
show ip nat translations
Demonstrate IP connectivity using appropriate commands or tools:
ping
tracert
nslookup
è What are the NAT mapping entries maintained between inside and outside addresses?
è Demonstrate connectivity to the instructor
è What is the available THROUGHPUT? Does encryption change drastically the performances ?
WPA configuration
In the following lab, you will extend the previous lab adding a new access point (192.168.x.252/24) connected to the same switch.
But now, this access point is going to use WPA (preshared-key) encryption.
New access point Configuration using WPA-PSK
Basic instructions for configuration:
· Propagated SSID: RTLPxx (e.g. RTLP66 when x==6)
· Channel == y+1
· WPA-PSK key: "abcdef123456"
Enter the following command lines to set WEP encryption on the radio with a predefined 0123456789 key.
ap> enable
ap# configure terminal
ap(conf)# hostname APxx ! where x is your pod number
APxx(conf)# dot11 ssid RTLPxx
APxx (conf-ssid)# authentication open
APxx (conf-ssid)# authentication key-management wpa (version 2) ! if version 2 is not by default in your latest firmware
APxx (conf-ssid)# wpa-psk ascii abcdef123456 ! this is the authentication preshared-key
APxx2(conf-ssid)# exit
APxx(conf)# interface dot11Radio0
APxx(conf-if)# ssid RTLPxx ! where x is your pod number
APxx(conf-if)# channel y+1! use appropriate y channel
APxx(conf-if)# station-role root access-point
APxx(conf)# encryption mode ciphers tkip! (for WPA-1 or encryption mode ciphers aes-ccm tkip for support of both WPA-2 and WPA-1)
APxx(conf-if)# no shutdown
APxx(conf-if)# exit
APxx(conf)# exit
APxx# write mem
Replicate the command lines for Dot11Radio1.
Step 1 : Configure both PC clients to connect APxx using WPA.
è Demonstrate connectivity between the clients to the instructor
è What is the available THROUGHPUT between clients : compare and explain the results?
Step 2 : Configure one PC client to connect APx in WEP; another PC client to connect APxx using WPA and have them both connect to the Internet.
è Is it possible to cummunicate between these PC; at what THROUGPUT: explain your theory or RESULTS?
Now, you have finished to set up a basic security baseline for a SOHO network using WPA-PSK with no user by user authentication.
In the upcoming labs, you will enforce the security by leveraging the authentication process using 802.1x protocols and a per user authentication.
(OPTION) Hardening: Configure the AcCess point device security
In this lab exercise, the following labs is to learn how to do some “hardening” on your network devices. The idea is to enforce a good-enough security level on your network devices otherwise they will become the weak link of your security chain…
These commands will be used. Refer to this list if assistance or help is needed during the lab exercise.
Step 1 Configure basic AP settings
If not already done, configure the hostname, SSID, and the domain name as explained below:
APx(config)# ip domain-name gtr.tp
Step 2 Configure a new administrator account
One of the easiest ways for hackers to gain access to network devices is by using default usernames and passwords.
a. Configure a new administrator account.
APx(config)# username cIsCo123 password cIsCo123
b. In a production environment, it is necessary to delete the old account.
APx(config)# no username Cisco password Cisco
c. Also, it is important to encrypt the passwords in the configurations if there are multiple administrator accounts with various privilege levels. By default, this is enabled on the AP1240.
APx(config)# service password-encryption
d. While in configuration mode, verify the user accounts and password encryption.
APx(config)# do show run
e. Secure the console connection by requiring a password.
APx(config)#line con 0
APx(config-line)#login
APx(config-line)#password cIsCo123
f. Exit out of the AP and log back in.
User Access Verification
Password:
g. A more secure method is to require a username and password combination. Return to configuration mode and configure local authentication on the console.
APx(config)#line con 0
APx(config-line)#login local
h. Exit out of the AP and log back in using the username password combination configured in step 2a.
User Access Verification
Username:
Password:
APx
Step 3 Configure accurate time
In order to keep track on any potential attacks, it is important to maintain proper time.
a. Configure the correct time. Use the help feature if needed.
APx#clock set 00:00:01 01 JAN 2007
b. Set the correct timezone
APx(config)#clock timezone [name of time zone] [offset in hours]
Example:
APx(config)#clock timezone Paris +1
c. (Optional) Configure daylight savings time. Use the help feature or command reference if needed.
APx(config)#clock summer-time
d. Check the clock settings while in configuration mode.
APx(config)#do show clock
A better solution would be to use a NTP server and get synchronized to it.
èFind out how to set a NTP server using a local PC running tftp64 as a target server and the appropriate IOS command lines to get synchronized to it.
Step 4 Configure MOTD and login banner
a. Configure a message-of-the-day (MOTD). The MOTD banner appears on all connected terminals at login and is useful for sending messages that affect all network users (such as impending system shutdowns).
APx(config)#banner motd #
This is a supposed secure site.
For access, contact the instructor.
#
APx(config)#
b. Exit out of the console or telnet session to check the MOTD.
c. Configure a login banner. This banner appears after the MOTD banner and before the login prompt.
APx(config)#banner login $
Access for authorized users only. Please enter your username and password.
$
APx(config)#
d. Exit out of the console to check the banner.
Step 5 Configure SSH
In some circumstances, attackers may be able to use a packet analyzer to intercept telnet passwords, which may enable them to gain access to the AP or other networking devices. The SSH protocol is a secure form of telnet, providing both authentication and encryption.
First, begin by generating the asymmetric keys used in the SSH authentication process.
To generate RSA keys: enter the following command in the configuration mode:
APx(config)#crypto key generate rsa ?
è What are the available help options for this command?
To enable SSH for local and remote authentication on the AP, enter the command crypto key generate rsa and press Enter. The AP will respond with a message showing the naming convention for the keys.
Press Enter to accept the default key size and continue.
Step 6 Configure SSH timeouts
Configuring SSH timeouts and authentication retries is a way of providing additional security for the connection. Use the command ip ssh {[time-out seconds]} {authentication-retries integer} to enable timeouts and authentication retries.
Set the SSH timeout to 15 seconds and the amount of retries to 3 by entering the following commands:
APx(config)#ip ssh time-out 15
APx(config)#ip ssh authentication-retries 3
Step 7 Configure local authentication and VTY
Use the following commands to define a local user and assign SSH communication to the vty lines:
APx(config)# username cisco password student
APx(config)# line vty 0 4
APx(config-line)# transport input ssh
APx(config-line)# login local
What are the available parameters for the transport input command?
Step 8 debug and verify SSH
Enable debugging: Enable debugging of SSH by entering the following commands:
APx(config)# logging on
APx(config)# exit
APx# terminal monitor
APx# debug ip ssh
Browse in SSH debug output logs messages
Next, open another instance of the SSH client and connect to the AP. Use the correct username
and password to log in to the AP.
To get an idea of the debugging process and the debugging message, open another instance of the SSH client and intentionally enter the wrong username or password. View the debugging output for failed authentication.
Step 9 Syslog configuration
Tftp64 can be configured to act as a syslog server.
è Briefly describe what is the logging command to use in order to set it up and write down some events' format
Enabling debug commands in the previous steps should generate syslog events that are displayed by tftp64.
Disable debugging
APx#undebug all
All possible debugging has been turned off
(OPTION) Hardening: Setting Advanced security filters
First, we will create MAC address filter: it allow to select which client can connect the wireless LAN according to its level 2 address.
Second, we will filter based on IP addresses (level 3).
Step 1 Creating a MAC address filter
Verify tftp64 is running on PCclient with following features enabled:
- TFTP Server
- Syslog Server
- SNTP Server
Verify the AP gets its IP address using dhcp requests.
Verify the AP sends its logs and synchronizes its clock to the tftp64.
Step 2 Creating a MAC address filter
Using an Internet Explorer browser, connect the AP and follow the path below to reach the Address Filters page:
a. Click SERVICES in the page navigation bar.
b. In the Services page list, click Filters.
c. On the Apply Filters page, click the MAC Address Filters tab at the top of the page.
d. Make sure <NEW> (the default) is selected in the Create/Edit Filter Index menu.
e. In the Filter Index field, name the filter with a number from 701.
f. Enter a MAC address wireless client in the Add MAC Address field.
èEnter the address with periods separating the three groups of four characters (0007.50CA.E208, for example).
g. Select Forward from the Action menu.
h. Click Add. The MAC address appears in the Filters Classes field.
i. Click Apply. The filter is saved on the AP, but it is not enabled until it is applied on the Apply Filters page.
Step 3 Apply the MAC address filter
a. From the SERVICES>Filters Page, go to the APPLY FILTERS tab.
b. Select the filter number 701 from the Radio0-802.11 MAC drop-down menus. Apply the filter to incoming and outgoing packets.
c. Click Apply. The filter is enabled on the selected ports.