# Sécurité en réseau ## Cours ### Travail dirigé - Sécuriser le port console - Sécuriser le passage au niveau 2 (*enable*) - Sécuriser les ports réseau (*port-security*) - Metter en place le SSH (*sur VLAN dédié*) - BDPU Guard (*protéger le port d'un branchement à un autre switch*) - ACLs (*standard et étendue*) - Théorie des pare-feux ## Exercices ### Exercice 1 ### Exercice 2 #### Partie 1 **Routeur** ``` enable conf t interface Gig0/1 ip address 192.168.0.1 255.255.255.0 no shutdown ip default-gateway 192.168.0.1 interface Gig0/1 ip address 192.168.1.1 255.255.255.0 no shutdown ip default-gateway 192.168.1.1 no ip domain-lookup enable secret class line console 0 password cisco login line vty 0 4 password cisco login transport input all service password-encryption banner motd # You shan't access this very device without permission # end write memory ``` **Switch** ``` enable conf t vlan 10 name VLAN10 exit interface FastEthernet0/5 switchport mode access switchport access vlan 99 spanning-tree portfast interface FastEthernet0/6 switchport mode access switchport access vlan 99 spanning-tree portfast interface vlan 10 ip address 192.168.1.2 255.255.255.0 no shutdown ip default-gateway 192.168.1.1 no ip domain-lookup enable secret class line console 0 password cisco login line vty 0 4 password cisco login transport input all service password-encryption banner motd # You shan't access this very device without permission # end write memory ``` ### Exercice 3 #### Liste des commandes utiles | Commandes | Descriptions | |---------------------------------------------------------|------------------------------------------------------------------| | conf t | Activate configuration from terminal | | interface *interface* | Go in interface to configure it properly | | ip access-group *ACL_name* **{in\|out}** | Activate and apply ACL to interface | | **ip access-list extended** *ACL_name* | Define ACL and go into conf mode | | **{permit\|deny}** {test conditions} | Defined apply policy for said ACL | | **show access-lists** *ACL_name* | Display all ACLs content | | **show ip interface** *interface-type interface number* | Display IP infos from specific interface, including applied ACLs | #### ``` router> enable router# configure terminal router(config)# access-list 10 deny 10.1.1.101 0.0.0.0 router(config)# access-list 10 permit any router(config)# line vty 0 4 router(config-line)# access-class 10 in router(config-line)# exit router(config)# interface GigabitEthernet0/0 router(config-if)# ip access-group 10 in router(config)# exit router# write memory ``` ### Exercice 4 #### Tâche 1 ``` ping 172.16.1.100 traceroute 172.16.1.100 ``` ``` show interfaces Gig0/1 conf t ip route 0.0.0.0 0.0.0.0 209.165.201.2 end write memory ``` #### Tâche 2 ``` telnet 172.16.1.100 23 telnet 172.16.1.100 80 ``` ### Exercice 5 **R1** ``` enable conf t interface Gig0/0 ip address 192.168.0.5 255.255.255.252 no shutdown interface Gig0/1 ip address 192.168.0.2 255.255.255.252 no shutdown router ospf 21 network 192.168.0.0 0.0.0.3 area 0 router ospf 13 network 192.168.0.4 0.0.0.3 area 0 no ip domain-lookup end write memory ``` **R2** ``` enable conf t interface Gig0/0 ip address 192.168.0.10 255.255.255.252 no shutdown interface Gig0/1 ip address 192.168.0.6 255.255.255.252 no shutdown interface Gig0/2 ip address 192.168.100.254 255.255.255.0 no shutdown router ospf 32 network 192.168.0.8 0.0.0.3 area 0 router ospf 21 network 192.168.0.0 0.0.0.3 area 0 no ip domain-lookup ip routing end write memory ``` **R3** ``` enable conf t interface Gig0/0 ip address 192.168.0.1 255.255.255.252 no shutdown interface Gig0/1 ip address 192.168.0.9 255.255.255.252 no shutdown interface Gig0/2 ip address 192.168.200.254 255.255.255.0 no shutdown router ospf 13 network 192.168.0.4 0.0.0.3 area 0 router ospf 32 network 192.168.0.8 0.0.0.3 area 0 no ip domain-lookup ip routing end write memory ``` ### Exercice 6