Cisco routers support a large number of network services at layers
2, 3, 4, and 7. Some of these services are application layer protocols that
allow users and host processes to connect to the router. Others are automatic
processes and settings intended to support legacy or specialized
configurations, which are detrimental to security. Some of these services can
be restricted or disabled to improve security without degrading the operational
use of the router. General security practice for routers should be to support
only traffic and protocols a network needs. Most of the services listed in this
section are not needed.
Turning off a network service on the router
itself does not prevent it from supporting a network where that protocol is
employed. For example, a router may support a network where the bootp protocol
is employed, but some other host is acting as the bootp server. Bootp is a user
datagram protocol (UDP) that can be used by Cisco routers to access copies of
IOS on another Cisco router running the Bootp service. In this case, the bootp
server on the router should be disabled.
In many cases, Cisco IOS
supports turning a service off entirely, or restricting access to particular
network segments or sets of hosts. If a particular portion of a network needs a
service but the rest does not, then the restriction features should be employed
to limit the scope of the service.
Turning off an automatic network
feature usually prevents a certain kind of network traffic from being processed
by the router or prevents it from traversing the router. For example, IP source
routing is a little-used feature of IP that can be utilized in network attacks.
Unless it is required for the network to operate, IP source routing should be
disabled.
Figure
lists some of
the services offered on Cisco IOS. This list has been kept short by including
only those services and features that are security-relevant and may need to be
disabled. Services that are not running cannot be attacked.
Start by
running the show proc command on the router. Next, turn off
clearly unneeded facilities and services. Some services that should almost
always be turned off and the corresponding commands to disable them are as
follows:
- Small services such as echo, discard, and chargen – no service
tcp-small-servers or no service
udp-small-servers

- BOOTP – no ip bootp server

- Finger – no service finger

- Hypertext Transfer Protocol (HTTP) – no ip http
server

- Simple Network Management Protocol (SNMP) – no
snmp-server
It is also important to shut down services that allow certain packets
to pass through the router, send special packets, or are used for remote router
configuration. The corresponding commands to disable them are as follows:
- Cisco Discovery Protocol (CDP) – no cdp run

- Remote configuration. – no service config

- Source routing – no ip source-route
- Classless routing – no ip classless
The interfaces on the router can be made more secure by using certain
commands in the Configure Interface mode. These commands should be applied to
every interface:
- Unused interfaces – shutdown
- No SMURF attacks – no ip directed-broadcast
- Ad-hoc routing – no ip proxy-arp
Configuration Example
The configuration listing in Figure
shows the
configuration commands for disabling typically unneeded services.
 |
NOTE:
The Command Reference provides a comprehensive list of commands used
throughout the course.
|