Securing Cisco Routers by Disabling Unused Services
Posted by Admin on November 12th, 2007
If you're new here, you may want to subscribe to my RSS feed. Thanks for visiting!
Now we will see how to disable some services on cisco router for security purpose.
Disable bootp Server
bootp is enabled by default, and if you are not using it, you should definitely disable it. You can use the no ip bootp server command in global configuration mode to disable bootp on your routers
Test(config)# no ip bootp server
Disable CDP
Cisco Discovery Protocol (CDP) is also enabled by default, and we highly recommend that you disable this service on the router globally. You can disable CDP globally by using the no cdp run command in global configuration mode, or you can disable CDP on a per-interface basis by using the no cdp enable command in interface configuration mode
Test(config)#no cdp run
Test(config-if)#no cdp enable
Note
The no cdp run command disables CDP globally on the routers.
Disable ip classless
The ip classless command is enabled on the Cisco routers by default in version 12.0 and higher. Disable ip classless if your network does not have a subnetted range of IP addresses. If you are subnetting a block of IP address allocated to you by the American Registry for Internet Numbers (ARIN), you should ensure that ip classless is enabled. It allows the router to advertise the subnetted addresses to its neighbors
Test(config)#no ip classless
Disable DNS lookup
Domain Name System (DNS) lookup is enabled by default on Cisco routers, and if you are not implementing DNS lookup on your network, it is highly advisable to disable this feature globally by using the no ip domain-lookup command
Test(config)#no ip domain-lookup
Disable finger service
The finger command is enabled by default and can be used to see what users are logged on to the network device. The finger command has been documented in RFC 742, and you should globally disable the finger command on network devices
Test(config)#no ip finger
Note
The no service finger command has been replaced by the no ip finger command.Finger service can be disabled on the router in global configuration mode.
Disable HTTP
Cisco routers can be accessed via a Web page, and unless you are implementing authentication proxy, we highly recommend that you turn off the HTTP service running on the router. You can use the no ip http server command to disable it.
Test(config)#no ip http server
If you want to implement HTTP-based management, we recommend that you implement HTTP authentication and limit the HTTP connections to the router using ACLs.
Disable ip mask-reply
By default, the ip mask-reply command is disabled on all Cisco routers. The mask replies respond to Internet Control Message Protocol (ICMP) mask requests by sending out ICMP mask replies, and these mask replies contain important network information. If mask replies are enabled, make sure you disable them on the router by using the no ip mask-reply command in interface configuration mode
Test(config-if)#no ip mask-reply
Disable IP-Directed Broadcast
The IP-directed broadcast is another service that is commonly used in Smurf attacks. Smurf attacks send ICMP echo requests from a spoofed source address to a directed broadcast that cause all hosts to respond to the ping echo request, creating a lot of traffic on the network. By default on IOS version 12.0 and higher, ip directed broadcast is disabled, and if you are running any version lower than 12.0, it is imperative that you disable IP directed broadcasts on the router by issuing the following command in interface configuration mode:
Test(config-if)#no ip directed-broadcast
Note
Smurf attacks send ICMP echo requests from a spoofed source address to a directed broadcast that cause all hosts to respond to the ping echo request, creating a lot of traffic on the network.
Disable IP Source Routing
IP source routing allows the sender of an IP packet to control the route that packet will take to reach the destination endpoint. By default, IP source routing is disabled on the routers and should only be enabled if your network needs call for it. The following command disables IP source routing on the router globally:
Test(config)#no ip source-route
Note
IP source routing allows the sender of an IP packet to control the route that packet will take to reach the destination endpoint.
Disable IP Unreachable
IP unreachable messages can be used to map out the network topology, and they should be disabled on all interfaces. You can disable IP unreachables on all interfaces by issuing the following command in interface configuration mode:
Test(config-if)#no ip unreachables
Note
IP unreachables should be disabled on all interfaces connected to insecure networks.
Disable Small Servers
Cisco classifies echo, chargen, daytime, and discard as small services and recommends that these services be disabled on the router. By default, on versions 11.3 or higher, the small server service is disabled by default.
