Security Appliance offers, a router with an integrated firewall feature set can solve most small-to-medium business perimeter security requirements. Figure represents a network with a firewall router and DMZ. Cisco IOS routers run many services that create potential vulnerabilities. To secure an enterprise network, you must disable all unneeded router services and interfaces. Vulnerable Router Services
Cisco routers support network services that may not be required in certain enterprise networks. Figure provides general guidelines to follow to secure vulnerable router services and interfaces. The following services represent groups of features that are vulnerable to malicious exploitation. Attackers will most likely use these router services in network attacks. The following describes each of these groups:

• Unnecessary services and interfaces:
  • Router interfaces: Limit unauthorized access to the router and the network by disabling unused open router interfaces.
  • BOOTP server: This is an enabled default service. This service allows a router to act as a BOOTP server for other routers. Disable this service as the service is rarely required.
  • Cisco Discovery Protocol (CDP): This service is enabled by default. CDP obtains protocol addresses of neighboring Cisco devices and discover the platforms of those devices. CDP also provides information about the interfaces your router uses. CDP is media- and protocol-independent and runs on most Cisco-manufactured equipment, including routers, bridges, access servers, switches, and IP phones. If not required, disable this service globally or on a per-interface basis.
  • Configuration auto-loading: This service is disabled by default. Auto-loading of configuration files from a network server should remain disabled when not in use by the router.
  • FTP server: This service is disabled by default. The FTP server enables you to use your router as an FTP server for FTP client requests. Because this server allows access to certain files in the router Flash memory, this service should be disabled when not required.
  • TFTP server: This service is disabled by default. The TFTP server enables you to use your router as a TFTP server for TFTP clients. This service should be disabled when not in use because the server allows access to certain files in the router Flash memory.
  • Network Time Protocol (NTP) service: This service is disabled by default. When enabled, the router acts as a time server for other network devices. If configured insecurely, NTP can be used to corrupt the router clock and potentially the clock of other devices that learn time from the router. Correct time is essential for setting proper time stamps for IPsec encryption services, log data, and diagnostic and security alerts. If this service is used, restrict which devices have access to NTP. Disable this service when not required.
  • Packet assembler and disassembler (PAD) service: This service is enabled by default. The PAD service allows access to X.25 PAD commands when forwarding X.25 packets. This service should be disabled when not in use.
  • TCP and User Datagram Protocol (UDP) minor services: These services are enabled in Cisco IOS software releases prior to Cisco IOS Release 11.3 and disabled in Cisco IOS Release 11.3 and later. The minor services are provided by small servers (daemons) that run in the router. The services are potentially useful for diagnostics, but are rarely used. Disable these services.
  • Maintenance Operation Protocol (MOP) service: This service is enabled on most Ethernet interfaces. MOP is a Digital Equipment Corporation (DEC) maintenance protocol that should be explicitly disabled when not in use.
• Commonly configured management services:
  • Simple Network Management Protocol (SNMP): This service is enabled by default. The SNMP service allows the router to respond to remote SNMP queries and configuration requests. If required, restrict which SNMP systems have access to the router SNMP agent and use SNMPv3 whenever possible because version 3 offers secure communication that is not available in earlier versions of SNMP. Disable this service when not required.
  • HTTP configuration and monitoring: The default setting for this service is Cisco device dependent. This service allows the router to be monitored or have the router configuration modified from a web browser via an application such as the Cisco Security Device Manager (SDM). You should disable this service if the service is not required. If this service is required, restrict access to the router HTTP service by using access control lists (ACLs).
  • Domain Name System (DNS): This client service is enabled by default. By default, Cisco routers broadcast name requests to 255.255.255.255. Restrict this service by disabling DNS when the service is not required. If the DNS lookup service is required, make sure that you set the DNS server address explicitly.
• Path integrity mechanisms:
  • ICMP redirects: This service is enabled by default. ICMP redirects cause the router to send ICMP redirect messages whenever the router is forced to resend a packet through the same interface on which the packet was received. This information can be used by attackers to redirect packets to an untrusted device. This service should be disabled when not required.
  • IP source routing: This service is enabled by default. The IP protocol supports source routing options that allow the sender of an IP datagram to control the route that a datagram will take toward the datagram’s ultimate destination, and generally the route that any reply will take. These options can be exploited by an attacker to bypass the intended routing path and security of the network. Also, some older IP implementations do not process source-routed packets properly, and hackers may be able to crash machines that run these implementations by sending datagrams with source routing options. Disable this service when IP source routing is not required.
• Features related to probes and scans:
  • Finger service: This service is enabled by default. The finger protocol (port 79) allows users throughout the network to obtain a list of the users who are currently using a particular device. The information on the list includes the processes that are running on the system and the user’s line number, connection name, idle time, and terminal location. This information is provided through the Cisco IOS software show users EXEC command. Unauthorized persons can use this information for reconnaissance attacks. Disable this service when it is not required.
  • ICMP unreachable notifications: This service is enabled by default. This service sends unreachable notifications to senders of invalid destination IP networks or specific IP addresses. This information can be used to map networks and should be explicitly disabled on interfaces to untrusted networks.
  • ICMP mask reply: This service is disabled by default. When enabled, this service tells the router to respond to ICMP mask requests by sending ICMP mask reply messages that contain the interface IP address mask. This information can be used to map the network, and this service should be explicitly disabled on interfaces to untrusted networks.
• Terminal access security:
  • IP identification service: This service is enabled by default. The identification protocol (specified in RFC 1413) reports the identity of a TCP connection initiator to the receiving host. This data can be used by an attacker to gather information about your network, and this service should be disabled.
  • TCP keepalives: This service is disabled by default. TCP keepalives help “clean up” TCP connections where a remote host has rebooted or otherwise stopped processing TCP traffic. Keepalives should be enabled