Securing Cisco Routers by Disabling Unused Services

On Cisco routers, a whole bunch of services come enabled by default.your first order of operation would be to ensure that the all unused services are disabled.

Now we will see how to disable some services on cisco router for security purpose.

Disable bootp Server

bootp is enabled by default, and if you are not using it, you should definitely disable it. You can use the no ip bootp server command in global configuration mode to disable bootp on your routers

Test(config)# no ip bootp server

Disable CDP

Cisco Discovery Protocol (CDP) is also enabled by default, and we highly recommend that you disable this service on the router globally. You can disable CDP globally by using the no cdp run command in global configuration mode, or you can disable CDP on a per-interface basis by using the no cdp enable command in interface configuration mode

Test(config)#no cdp run

Test(config-if)#no cdp enable

Note

The no cdp run command disables CDP globally on the routers.

Disable ip classless

The ip classless command is enabled on the Cisco routers by default in version 12.0 and higher. Disable ip classless if your network does not have a subnetted range of IP addresses. If you are subnetting a block of IP address allocated to you by the American Registry for Internet Numbers (ARIN), you should ensure that ip classless is enabled. It allows the router to advertise the subnetted addresses to its neighbors

Test(config)#no ip classless

Disable DNS lookup

Domain Name System (DNS) lookup is enabled by default on Cisco routers, and if you are not implementing DNS lookup on your network, it is highly advisable to disable this feature globally by using the no ip domain-lookup command

Test(config)#no ip domain-lookup

Disable finger service

The finger command is enabled by default and can be used to see what users are logged on to the network device. The finger command has been documented in RFC 742, and you should globally disable the finger command on network devices

Test(config)#no ip finger

Note

The no service finger command has been replaced by the no ip finger command.Finger service can be disabled on the router in global configuration mode.

Disable HTTP

Cisco routers can be accessed via a Web page, and unless you are implementing authentication proxy, we highly recommend that you turn off the HTTP service running on the router. You can use the no ip http server command to disable it.

Test(config)#no ip http server

If you want to implement HTTP-based management, we recommend that you implement HTTP authentication and limit the HTTP connections to the router using ACLs.

Disable ip mask-reply

By default, the ip mask-reply command is disabled on all Cisco routers. The mask replies respond to Internet Control Message Protocol (ICMP) mask requests by sending out ICMP mask replies, and these mask replies contain important network information. If mask replies are enabled, make sure you disable them on the router by using the no ip mask-reply command in interface configuration mode

Test(config-if)#no ip mask-reply

Disable IP-Directed Broadcast

The IP-directed broadcast is another service that is commonly used in Smurf attacks. Smurf attacks send ICMP echo requests from a spoofed source address to a directed broadcast that cause all hosts to respond to the ping echo request, creating a lot of traffic on the network. By default on IOS version 12.0 and higher, ip directed broadcast is disabled, and if you are running any version lower than 12.0, it is imperative that you disable IP directed broadcasts on the router by issuing the following command in interface configuration mode:

Test(config-if)#no ip directed-broadcast

Note

Smurf attacks send ICMP echo requests from a spoofed source address to a directed broadcast that cause all hosts to respond to the ping echo request, creating a lot of traffic on the network.

Disable IP Source Routing

IP source routing allows the sender of an IP packet to control the route that packet will take to reach the destination endpoint. By default, IP source routing is disabled on the routers and should only be enabled if your network needs call for it. The following command disables IP source routing on the router globally:

Test(config)#no ip source-route

Note

IP source routing allows the sender of an IP packet to control the route that packet will take to reach the destination endpoint.

Disable IP Unreachable

IP unreachable messages can be used to map out the network topology, and they should be disabled on all interfaces. You can disable IP unreachables on all interfaces by issuing the following command in interface configuration mode:

Test(config-if)#no ip unreachables

Note

IP unreachables should be disabled on all interfaces connected to insecure networks.

Disable Small Servers

Cisco classifies echo, chargen, daytime, and discard as small services and recommends that these services be disabled on the router. By default, on versions 11.3 or higher, the small server service is disabled by default.

Sponsored Link

One thought on “Securing Cisco Routers by Disabling Unused Services

  1. Just a quick correction here. It is NOT standard to turn off CDP globally, it is rather helpful and a preferred method is to enable/disable on a per port basis.

    One more thing, NO ONE turns of ip classless. There is no risk in security and this introduces other weird issues when setting up a network. Because debianadmin.com is a result that pulls up often I would like to see this corrected so we don’t have younger network engineers making these mistakes in production environments.

Leave a comment

Your email address will not be published. Required fields are marked *