- Dec 12, 2003
- Assessing the Risk
- Securing the Network Using Cisco Routers
- Securing Administrative Access to a Cisco Router
- Securing Routers by Disabling Unused Router Services and Interfaces
- Cisco Access Lists
- Mitigating Security Threats Using ACLs
- Exam Prep Questions
- Need to Know More?
Securing Routers by Disabling Unused Router Services and Interfaces
On Cisco routers, a whole bunch of services come enabled by default. As a network security expert, your first order of operation would be to ensure that the unused services are disabled.
We now give you a rundown of a few services that you need know before entering into the security arena.
bootp is enabled by default, and if you are not using it, you should definitely disable it. You can use the no ip bootp server command in global configuration mode to disable bootp on your routers:
Central(config)# no ip bootp server
Cisco Discovery Protocol (CDP) is also enabled by default, and we highly recommend that you disable this service on the router globally. You can disable CDP globally by using the no cdp run command in global configuration mode, or you can disable CDP on a per-interface basis by using the no cdp enable command in interface configuration mode:
Central(config)#no cdp run Central(config-if)#no cdp enable
The no cdp run command disables CDP globally on the routers.
The ip classless command is enabled on the Cisco routers by default in version 12.0 and higher. Disable ip classless if your network does not have a subnetted range of IP addresses. If you are subnetting a block of IP address allocated to you by the American Registry for Internet Numbers (ARIN), you should ensure that ip classless is enabled. You can learn more about ARIN by going to http://www.arin.net. It allows the router to advertise the subnetted addresses to its neighbors:
Central(config)#no ip classless
Domain Name System (DNS) lookup is enabled by default on Cisco routers, and if you are not implementing DNS lookup on your network, it is highly advisable to disable this feature globally by using the no ip domain-lookup command:
Central(config)#no ip domain-lookup
The finger command is enabled by default and can be used to see what users are logged on to the network device. The finger command has been documented in RFC 742, and you should globally disable the finger command on network devices:
Central(config)#no ip finger
The no service finger command has been replaced by the no ip finger command.
Finger service can be disabled on the router in global configuration mode.
Cisco routers can be accessed via a Web page, and unless you are implementing authentication proxy, we highly recommend that you turn off the HTTP service running on the router. You can use the no ip http server command to disable it.
If you want to implement HTTP-based management, we recommend that you implement HTTP authentication and limit the HTTP connections to the router using ACLs.
By default, the ip mask-reply command is disabled on all Cisco routers. The mask replies respond to Internet Control Message Protocol (ICMP) mask requests by sending out ICMP mask replies, and these mask replies contain important network information. If mask replies are enabled, make sure you disable them on the router by using the no ip mask-reply command in interface configuration mode:
Central(config-if)#no ip mask-reply
The IP-directed broadcast is another service that is commonly used in Smurf attacks. Smurf attacks send ICMP echo requests from a spoofed source address to a directed broadcast that cause all hosts to respond to the ping echo request, creating a lot of traffic on the network. By default on IOS version 12.0 and higher, ip directed broadcast is disabled, and if you are running any version lower than 12.0, it is imperative that you disable IP directed broadcasts on the router by issuing the following command in interface configuration mode:
Central(config-if)#no ip directed-broadcast
Smurf attacks send ICMP echo requests from a spoofed source address to a directed broadcast that cause all hosts to respond to the ping echo request, creating a lot of traffic on the network.
IP Source Routing
IP source routing allows the sender of an IP packet to control the route that packet will take to reach the destination endpoint. By default, IP source routing is disabled on the routers and should only be enabled if your network needs call for it. The following command disables IP source routing on the router globally:
Central(config)#no ip source-route
IP source routing allows the sender of an IP packet to control the route that packet will take to reach the destination endpoint.
IP unreachable messages can be used to map out the network topology, and they should be disabled on all interfaces. You can disable IP unreachables on all interfaces by issuing the following command in interface configuration mode:
Central(config-if)#no ip unreachables
IP unreachables should be disabled on all interfaces connected to insecure networks.
Cisco classifies echo, chargen, daytime, and discard as small services and recommends that these services be disabled on the router. By default, on versions 11.3 or higher, the small server service is disabled by default.