NETWORK SECURITY -NSEC-310
Student Name
Lawrence Chikopa
CIS/018/19
Course Lecturer
Menard Phiri
mephiri@must.ac.mw
LAB ASSIGNMENT 4
August 31, 2022
Contents
1 INTRODUCTION 2
2 GOALS 2
3 TOPOLOGY 3
4 OSPF MD5 AUTHENTICATION 4
4.0.1 ospf MD5 authentication on R1 . . . . . . . . . . . . . . . 4
4.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
4.1.1 Verifying that ospf md5 authentication is configured on R1 5
4.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
4.2.1 ospf MD5 authentication on R2 . . . . . . . . . . . . . . . 6
4.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
4.3.1 Verifying that ospf md5 authentication is configured on R2 7
4.4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
4.4.1 ospf MD5 authentication on R3 . . . . . . . . . . . . . . . 8
4.5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
4.5.1 Verifying that ospf md5 authentication is configured on R3 9
4.6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
5 CONFIGURE AUTHENTICATION ON THE NTP SERVER
AND THE ROUTERS 10
5.1 Enable NTP authentication on PCA (NTP Server) . . . . . . . . 10
5.2 Configuring R1, R2, and R3 as NTP clients . . . . . . . . . . . . 12
5.2.1 Configuring NTP authentication on R1 . . . . . . . . . . 12
5.2.2 Configuring NTP authentication on R2 . . . . . . . . . . 13
5.2.3 Configuring NTP authentication on R3 . . . . . . . . . . 14
6 UPDATE THE HARDWARE CLOCK WITH THE TIME LEARNED
FROM THE NTP 15
6.0.1 Update Hardware clock with time learned from NTP on R1 15
6.0.2 Update Hardware clock with time learned from NTP on R2 16
6.0.3 Update Hardware clock with time learned from NTP on R3 16
7 CONFIGURE ROUTERS TO TIMESTAMP LOG MESSAGES 17
7.1 Timestamp log messages on R1 . . . . . . . . . . . . . . . . . . . 17
7.2 Timestamp log messages on R2 . . . . . . . . . . . . . . . . . . . 17
7.3 Timestamp log messages on R3 . . . . . . . . . . . . . . . . . . . 17
8 CONFIGURE THE ROUTERS TO IDENTIFY THE REMOTE
HOST(SYSLOG SERVER) THAT WILL RECEIVE LOGGING
MESSAGES 18
8.1 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
8.1.1 Router 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
8.1.2 Router 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
8.1.3 Router 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
8.2 Verification of the logging syslog server configuration on the routers 19
8.2.1 Verification on Router 1 . . . . . . . . . . . . . . . . . . . 19
8.2.2 Verification on Router 2 . . . . . . . . . . . . . . . . . . . 20
8.2.3 Verification on Router 3 . . . . . . . . . . . . . . . . . . . 21
8.3 Checking the Syslog server . . . . . . . . . . . . . . . . . . . . . . 22
9 CONFIGURE ROUTER 3 TO BE MANAGED SECURELY
WITH SSH NOT NELNET 22
9.1 Configure domain name . . . . . . . . . . . . . . . . . . . . . . . 22
9.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
9.3 Configure users to Login to the SSH server . . . . . . . . . . . . 23
9.4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
9.5 Configur vty lines incoming . . . . . . . . . . . . . . . . . . . . . 23
9.6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
9.7 Checking if the R3 can be managed by Telnet or SSH . . . . . . 24
9.7.1 Using Telnet . . . . . . . . . . . . . . . . . . . . . . . . . 24
9.8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
9.8.1 Using SSH . . . . . . . . . . . . . . . . . . . . . . . . . . 25
9.9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
10 CONCLUSION 25
List of Figures
1 Topology for configuring Syslog, NTP and SSH . . . . . . . . . . 3
2 ospf md5 authentication configured on R1 . . . . . . . . . . . . . 4
3 Verifying that ospf md5 is configured on R1 . . . . . . . . . . . . 5
4 ospf md5 authentication configured on R2 . . . . . . . . . . . . . 6
5 Verifying that ospf md5 is configured on R2 . . . . . . . . . . . . 7
6 ospf md5 authentication configured on R3 . . . . . . . . . . . . . 8
7 Verifying that ospf md5 is configured on R3 . . . . . . . . . . . . 9
8 NTP authentication configured on PCA(NTP server) . . . . . . . 11
9 Configuring NTP authentication on R1 . . . . . . . . . . . . . . . 12
10 Configuring NTP authentication on R2 . . . . . . . . . . . . . . . 13
11 Configuring NTP authentication on R3 . . . . . . . . . . . . . . . 14
12 Updating hardware clock with the time learned from NTP server
on R1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
13 Updating hardware clock with the time learned from NTP server
on R2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
14 Updating hardware clock with the time learned from NTP server
on R3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
15 Timestamp log messages on R1 . . . . . . . . . . . . . . . . . . . 17
16 Timestamp log messages on R2 . . . . . . . . . . . . . . . . . . . 17
17 Timestamp log messages on R3 . . . . . . . . . . . . . . . . . . . 17
18 Configuring R1 to identify Syslog server that will receive logging
messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
19 Configuring R2 to identify Syslog server that will receive logging
messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
20 Configuring R3 to identify Syslog server that will receive logging
messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
21 Verify logging on router 1 . . . . . . . . . . . . . . . . . . . . . . 19
22 Verify logging on router 2 . . . . . . . . . . . . . . . . . . . . . . 20
23 Verify logging on router 3 . . . . . . . . . . . . . . . . . . . . . . 21
24 Checking the SYSLOG Server . . . . . . . . . . . . . . . . . . . . 22
25 Domain name on the R3. Any name can be given . . . . . . . . . 22
26 SSHAdmin user with password ”mustcisco” configured on Router 3 23
27 vty lines configured . . . . . . . . . . . . . . . . . . . . . . . . . . 23
28 R3 cannot be managed securely using telnet . . . . . . . . . . . . 24
29 R3 managed securely using SSH . . . . . . . . . . . . . . . . . . . 25
1
1 INTRODUCTION
System Logging protocol(Syslog) is a way network devices can use a standard
message format to communicate with a logging server. It was designed specifi-
cally to make it easy to monitor network devices. Devices can use a Syslog agent
to send out notification messages under a wide range of specific conditions.
Network Time Protocol(NTP) is an internet protocol used to synchronize with
compuuter clock time sources in a network. It belongs to and it is one of the
oldest parts of the TCP/IP suite. The term NTP applies to both the protocol
and the client server programs that run on the computers.
SSH, also known as Secure Shell or Secure Socket Shell, is a network protocol
that gives users, particulary system administrators a secure way to access a
computer over an unsecured network.SSH provides strong password authentica-
tion and public key authentication as well as encrypted data communications
between two computers connecting over an open network such as the internet.
This lab focuses on configuring System Logging Protocol(Syslog), Network Time
Protocol(NTP) and Secure Socket Shell(SSH) on cisco routers.
2 GOALS
Configure OSPF MD5 authentication
Configure authentication on the NTP server and the routers
Configure the routers to periodically update the hardware clock with the
time learned from NTP
Configure timestamp service for logging on the routers
Configure the routers to identify the remote host
Configure R3 to be managed securely using SSH instead of Telnet
Configure the routers and use password mustcisco for enable password and
vty lines
2
3 TOPOLOGY
In this topology, PCA is the NTP server, PCB is the Syslog Server, PCC is the
SSH client. There three routers and two switches.
Figure 1: Topology for configuring Syslog, NTP and SSH
3
4 OSPF MD5 AUTHENTICATION
OSPF MD5 authentication is more secure than the plain text authentication.
This method uses MD5 algorithm to compute a hash value from the contents
of the ospf packet and password. This hash value is transmitted in the packet.
The receiver which knows the same password calculates its own hash value.
The figures below show how the ospf md5 authentication was configured on the
routers.
4.0.1 ospf MD5 authentication on R1
4.1
Figure 2: ospf md5 authentication configured on R1
4
4.1.1 Verifying that ospf md5 authentication is configured on R1
4.2
Figure 3: Verifying that ospf md5 is configured on R1
5
4.2.1 ospf MD5 authentication on R2
4.3
Figure 4: ospf md5 authentication configured on R2
6
4.3.1 Verifying that ospf md5 authentication is configured on R2
4.4
Figure 5: Verifying that ospf md5 is configured on R2
7
4.4.1 ospf MD5 authentication on R3
4.5
Figure 6: ospf md5 authentication configured on R3
8
4.5.1 Verifying that ospf md5 authentication is configured on R3
4.6
Figure 7: Verifying that ospf md5 is configured on R3
9
5 CONFIGURE AUTHENTICATION ON THE
NTP SERVER AND THE ROUTERS
5.1 Enable NTP authentication on PCA (NTP Server)
To achieve this, on PCA click NTP under the services tab to verify that NTP
is enabled. To configure NTP authentication, click enable and use key 1 and
cisco as password for authentication. The figure below shows the configuration
of NTP authentication on the NTP server.
10
Figure 8: NTP authentication configured on PCA(NTP server)
11
5.2 Configuring R1, R2, and R3 as NTP clients
The routers also use the same key 1 and password cisco for NTP authentication.
The command that is used is ”ntp authentication trusted-key 1 md5 cisco. The
next three figures show how ntp authentication was configured on the routers.
5.2.1 Configuring NTP authentication on R1
Figure 9: Configuring NTP authentication on R1
12
5.2.2 Configuring NTP authentication on R2
Figure 10: Configuring NTP authentication on R2
13
5.2.3 Configuring NTP authentication on R3
Figure 11: Configuring NTP authentication on R3
14
6 UPDATE THE HARDWARE CLOCK WITH
THE TIME LEARNED FROM THE NTP
Here two command only are used to achiecve the task. The first command
indicates the name of the NTP server in this case PCA, so the command is ”ntp
server 198.168.1.5” and the second command is that update the hardware clock.
The second command is ”ntp update-calender”. The next three figures show
the configurations on the three routers. The command ’show clock’ displays the
clock.
6.0.1 Update Hardware clock with time learned from NTP on R1
Figure 12: Updating hardware clock with the time learned from NTP server on
R1
15
6.0.2 Update Hardware clock with time learned from NTP on R2
Figure 13: Updating hardware clock with the time learned from NTP server on
R2
6.0.3 Update Hardware clock with time learned from NTP on R3
Figure 14: Updating hardware clock with the time learned from NTP server on
R3
16
7 CONFIGURE ROUTERS TO TIMESTAMP
LOG MESSAGES
The command ’service timestamps log datetime msec’ is used to achieve this
on the three routers. The next three figures show the configurations that were
made on the three routers from the router 1 to router 3.
7.1 Timestamp log messages on R1
Figure 15: Timestamp log messages on R1
7.2 Timestamp log messages on R2
Figure 16: Timestamp log messages on R2
7.3 Timestamp log messages on R3
Figure 17: Timestamp log messages on R3
17
8 CONFIGURE THE ROUTERS TO IDENTIFY
THE REMOTE HOST(SYSLOG SERVER) THAT
WILL RECEIVE LOGGING MESSAGES
This specifies the syslog server by ip address and host name. The command
that is used is ’Logging host 192.168.1.6’ on each router. The figures below
show the configuration on each routers and the part 7.2 show the verification of
the logging host command.
8.1 Configuration
8.1.1 Router 1
Figure 18: Configuring R1 to identify Syslog server that will receive logging
messages
8.1.2 Router 2
Figure 19: Configuring R2 to identify Syslog server that will receive logging
messages
8.1.3 Router 3
Figure 20: Configuring R3 to identify Syslog server that will receive logging
messages
18
8.2 Verification of the logging syslog server configuration
on the routers
8.2.1 Verification on Router 1
Figure 21: Verify logging on router 1
19
8.2.2 Verification on Router 2
Figure 22: Verify logging on router 2
20
8.2.3 Verification on Router 3
Figure 23: Verify logging on router 3
21
8.3 Checking the Syslog server
Here interface serial0/0/0 on R1 is shut down and turned on again. To check
the logs, go to the syslog server PCB and Under SYSLOG check on syslog. The
figure below shows the logs.
Figure 24: Checking the SYSLOG Server
9 CONFIGURE ROUTER 3 TO BE MANAGED
SECURELY WITH SSH NOT NELNET
This section configures SSH on router 3.
9.1 Configure domain name
9.2
Figure 25: Domain name on the R3. Any name can be given
22
9.3 Configure users to Login to the SSH server
The username is SSHAdmin and Login Password is ”mustcisco”. The figure
below shows the configuration.
9.4
Figure 26: SSHAdmin user with password ”mustcisco” configured on Router 3
9.5 Configure vty lines incoming
The username is SSHAdmin and Login Password is ”mustcisco”. The figure
below shows the configuration.
9.6
Figure 27: vty lines configured
23
9.7 Checking if the R3 can be managed by Telnet or SSH
Here Router 3 can not be accessed using Telnet instead it will be managed by
SSH. The operations in the screenshots below were taken on PCC which is the
SSH client.
9.7.1 Using Telnet
9.8
Figure 28: R3 cannot be managed securely using telnet
24
9.8.1 Using SSH
9.9
Figure 29: R3 managed securely using SSH
10 CONCLUSION
In conclusion, this lab focused on configuring the System logging protocol, Net-
work Time Protocol and Secure Socket Shell on cisco routers.
25