Home > Articles > Certification > Cisco Certification > CCNP Security / CCSP

  • Print
  • + Share This
  • 💬 Discuss

Securing Routers by Disabling Unused Router Services and Interfaces

On Cisco routers, a whole bunch of services come enabled by default. As a network security expert, your first order of operation would be to ensure that the unused services are disabled.

We now give you a rundown of a few services that you need know before entering into the security arena.

bootp

bootp is enabled by default, and if you are not using it, you should definitely disable it. You can use the no ip bootp server command in global configuration mode to disable bootp on your routers:

Central(config)# no ip bootp server

CDP

Cisco Discovery Protocol (CDP) is also enabled by default, and we highly recommend that you disable this service on the router globally. You can disable CDP globally by using the no cdp run command in global configuration mode, or you can disable CDP on a per-interface basis by using the no cdp enable command in interface configuration mode:

Central(config)#no cdp run
Central(config-if)#no cdp enable

CAUTION

The no cdp run command disables CDP globally on the routers.

ip classless

The ip classless command is enabled on the Cisco routers by default in version 12.0 and higher. Disable ip classless if your network does not have a subnetted range of IP addresses. If you are subnetting a block of IP address allocated to you by the American Registry for Internet Numbers (ARIN), you should ensure that ip classless is enabled. You can learn more about ARIN by going to http://www.arin.net. It allows the router to advertise the subnetted addresses to its neighbors:

Central(config)#no ip classless

DNS

Domain Name System (DNS) lookup is enabled by default on Cisco routers, and if you are not implementing DNS lookup on your network, it is highly advisable to disable this feature globally by using the no ip domain-lookup command:

Central(config)#no ip domain-lookup

finger

The finger command is enabled by default and can be used to see what users are logged on to the network device. The finger command has been documented in RFC 742, and you should globally disable the finger command on network devices:

Central(config)#no ip finger

CAUTION

The no service finger command has been replaced by the no ip finger command.

CAUTION

Finger service can be disabled on the router in global configuration mode.

HTTP

Cisco routers can be accessed via a Web page, and unless you are implementing authentication proxy, we highly recommend that you turn off the HTTP service running on the router. You can use the no ip http server command to disable it.

If you want to implement HTTP-based management, we recommend that you implement HTTP authentication and limit the HTTP connections to the router using ACLs.

ip mask-reply

By default, the ip mask-reply command is disabled on all Cisco routers. The mask replies respond to Internet Control Message Protocol (ICMP) mask requests by sending out ICMP mask replies, and these mask replies contain important network information. If mask replies are enabled, make sure you disable them on the router by using the no ip mask-reply command in interface configuration mode:

Central(config-if)#no ip mask-reply

IP-Directed Broadcast

The IP-directed broadcast is another service that is commonly used in Smurf attacks. Smurf attacks send ICMP echo requests from a spoofed source address to a directed broadcast that cause all hosts to respond to the ping echo request, creating a lot of traffic on the network. By default on IOS version 12.0 and higher, ip directed broadcast is disabled, and if you are running any version lower than 12.0, it is imperative that you disable IP directed broadcasts on the router by issuing the following command in interface configuration mode:

Central(config-if)#no ip directed-broadcast

CAUTION

Smurf attacks send ICMP echo requests from a spoofed source address to a directed broadcast that cause all hosts to respond to the ping echo request, creating a lot of traffic on the network.

IP Source Routing

IP source routing allows the sender of an IP packet to control the route that packet will take to reach the destination endpoint. By default, IP source routing is disabled on the routers and should only be enabled if your network needs call for it. The following command disables IP source routing on the router globally:

Central(config)#no ip source-route

CAUTION

IP source routing allows the sender of an IP packet to control the route that packet will take to reach the destination endpoint.

IP Unreachable

IP unreachable messages can be used to map out the network topology, and they should be disabled on all interfaces. You can disable IP unreachables on all interfaces by issuing the following command in interface configuration mode:

Central(config-if)#no ip unreachables

CAUTION

IP unreachables should be disabled on all interfaces connected to insecure networks.

Small Servers

Cisco classifies echo, chargen, daytime, and discard as small services and recommends that these services be disabled on the router. By default, on versions 11.3 or higher, the small server service is disabled by default.

  • + Share This
  • 🔖 Save To Your Account

Discussions

comments powered by Disqus

Related Resources

There are currently no related titles. Please check back later.