1 Network and Internet Security Asst. Prof. Dr. Noor Ghazi 3 rd Stage – Semester 6 Lab 5 Securing the Router Enable, Disable, and Test Some of Unnecessary or Unused Routers Services Note: We will test th e lab on the topology in Lab 3 , w e will add two other hosts as shown in figure (1), we will use VirtualBox simulator for them with the following TCP/I P configuration: PC1 IP address: 192.168.1.10 Subnet Mask: 255.255.255.0 Default Gateway: 192.168.1.1 PC2 IP address: 192.168.3.10 Subnet Mask: 255.255.255.0 Default Gateway: 192.168.3.1 Create Two users in R1, and assign them to VTY lines using the following configuration: R1(config)# username user1 password 0 ciscouser1 R1(config)#us ername user2 password 0 ciscouser2 R1(config) # line vty 0 4 R1(config)# login local R1(config)#exit Figure (1) 2 Enable, Disable and Test Finger Service E nable Finger Service 1. We will enable “Finger” service in R1, using the following configuration: R1#config t R1(config)#ip finger R1(config)#exit 2. Access to R1 from R2 R2# telnet 10.1.1.1 Username : user1 Password: ciscouser1 R1> 3. Access R1 from R3 R3# telnet 10.1.1.1 Username: user2 Password: ciscouser2 R1> Test Finger Service 1. We will test “Finger” service in PC1, Which will show us the logged in users to R1 and as shown in figure ( 2 ) In PC1: Start -- Ru n - cmd - finger @192.168.1.1 3 Figure (2 ) Disable Finger Service 1. To disable “Finger” service in R1, using the following configuration: R1#config t R1(config)# no ip finger R1(config)#exit 2. In PC1, use the “Finger” service to access R1. We will see the connection is refused because the “Finger” is disabled. As shown in figure ( 3 ). Figure ( 3 ) 4 Enable, Disable and Test DNS lookup Service W hen DNS is not in use on the network, it is recommended that you disable IP domain lookup. This is because when the service is enabled a router cannot distinguish between a mistyped command and a possible host name; it tries to resolve the host through DNS. Often this might take several seconds as the router tries to translate the name to an IP address befor e the request times out and the user returned to a command prompt Enable and Test Domain Name Lookup Service 1. We will enable “ Domain Name lookup” service in R1, using the following configuration: R1#config t R1(config)#ip domain - lookup R1(config)#exit 2. If the service is enabled, the router will do a Name Lookup on a Mistyped Command s. As shown in figure ( 4 ) , t he command “ show ” is written mistakenly as “ shox ”, and the router responds by trying to do a name lookup on the network for the host shox Figure ( 4 ) 5 Disable and Test Domain Name Lookup Service Disabling DNS resolution prevents the router from doing name lookups on mistyped commands 1. We will disable Domain Name lookup” service in R1, using the following configuration: R1#config t R1(config)# no ip domain - lookup R1(config)#exit 2. We will enter the same erroneously typed command “ shox” instead of “show” command. , this time, a DNS re quest is not sent out as before . The result is that you are immediately returned to the comm and prompt as shown in figure (5 ). Figure ( 5 ) Note To check the enabled and disabled services on the router, we will use the command “show running - config”.