Security Appliance offers, a router with an
integrated firewall feature set can solve most small-to-medium
business perimeter security requirements. Figure represents a
network with a firewall router and DMZ. Cisco IOS routers run
many services that create potential vulnerabilities. To secure
an enterprise network, you must disable all unneeded router
services and interfaces. Vulnerable Router Services
Cisco routers support network services that may not be required
in certain enterprise networks. Figure provides general
guidelines to follow to secure vulnerable router services and
interfaces. The following services represent groups of features
that are vulnerable to malicious exploitation. Attackers will
most likely use these router services in network attacks. The
following describes each of these groups: - Unnecessary
services and interfaces:
- Router interfaces:
Limit unauthorized access to the router and the network by
disabling unused open router interfaces.
- BOOTP
server: This is an enabled default service. This service
allows a router to act as a BOOTP server for other routers.
Disable this service as the service is rarely required.
- Cisco Discovery Protocol (CDP): This service is
enabled by default. CDP obtains protocol addresses of
neighboring Cisco devices and discover the platforms of those
devices. CDP also provides information about the interfaces
your router uses. CDP is media- and protocol-independent and
runs on most Cisco-manufactured equipment, including routers,
bridges, access servers, switches, and IP phones. If not
required, disable this service globally or on a per-interface
basis.
- Configuration auto-loading: This
service is disabled by default. Auto-loading of configuration
files from a network server should remain disabled when not in
use by the router.
- FTP server: This service is
disabled by default. The FTP server enables you to use your
router as an FTP server for FTP client requests. Because this
server allows access to certain files in the router Flash
memory, this service should be disabled when not
required.
- TFTP server: This service is
disabled by default. The TFTP server enables you to use your
router as a TFTP server for TFTP clients. This service should
be disabled when not in use because the server allows access to
certain files in the router Flash memory.
- Network
Time Protocol (NTP) service: This service is disabled by
default. When enabled, the router acts as a time server for
other network devices. If configured insecurely, NTP can be
used to corrupt the router clock and potentially the clock of
other devices that learn time from the router. Correct time is
essential for setting proper time stamps for IPsec encryption
services, log data, and diagnostic and security alerts. If this
service is used, restrict which devices have access to NTP.
Disable this service when not required.
- Packet
assembler and disassembler (PAD) service: This service is
enabled by default. The PAD service allows access to X.25 PAD
commands when forwarding X.25 packets. This service should be
disabled when not in use.
- TCP and User Datagram
Protocol (UDP) minor services: These services are enabled
in Cisco IOS software releases prior to Cisco IOS Release 11.3
and disabled in Cisco IOS Release 11.3 and later. The minor
services are provided by small servers (daemons) that run in
the router. The services are potentially useful for
diagnostics, but are rarely used. Disable these services.
- Maintenance Operation Protocol (MOP) service: This
service is enabled on most Ethernet interfaces. MOP is a
Digital Equipment Corporation (DEC) maintenance protocol that
should be explicitly disabled when not in use.
- Commonly configured management services:
-
Simple Network Management Protocol (SNMP): This service
is enabled by default. The SNMP service allows the router to
respond to remote SNMP queries and configuration requests. If
required, restrict which SNMP systems have access to the router
SNMP agent and use SNMPv3 whenever possible because version 3
offers secure communication that is not available in earlier
versions of SNMP. Disable this service when not required.
- HTTP configuration and monitoring: The default
setting for this service is Cisco device dependent. This
service allows the router to be monitored or have the router
configuration modified from a web browser via an application
such as the Cisco Security Device Manager (SDM). You should
disable this service if the service is not required. If this
service is required, restrict access to the router HTTP service
by using access control lists (ACLs).
- Domain Name
System (DNS): This client service is enabled by default. By
default, Cisco routers broadcast name requests to
255.255.255.255. Restrict this service by disabling DNS when
the service is not required. If the DNS lookup service is
required, make sure that you set the DNS server address
explicitly.
- Path integrity mechanisms:
- ICMP redirects: This service is enabled by
default. ICMP redirects cause the router to send ICMP redirect
messages whenever the router is forced to resend a packet
through the same interface on which the packet was received.
This information can be used by attackers to redirect packets
to an untrusted device. This service should be disabled when
not required.
- IP source routing: This service
is enabled by default. The IP protocol supports source routing
options that allow the sender of an IP datagram to control the
route that a datagram will take toward the datagram’s ultimate
destination, and generally the route that any reply will take.
These options can be exploited by an attacker to bypass the
intended routing path and security of the network. Also, some
older IP implementations do not process source-routed packets
properly, and hackers may be able to crash machines that run
these implementations by sending datagrams with source routing
options. Disable this service when IP source routing is not
required.
- Features related to probes and
scans:
- Finger service: This service is enabled
by default. The finger protocol (port 79) allows users
throughout the network to obtain a list of the users who are
currently using a particular device. The information on the
list includes the processes that are running on the system and
the user’s line number, connection name, idle time, and
terminal location. This information is provided through the
Cisco IOS software show users EXEC command. Unauthorized
persons can use this information for reconnaissance attacks.
Disable this service when it is not required.
- ICMP
unreachable notifications: This service is enabled by
default. This service sends unreachable notifications to
senders of invalid destination IP networks or specific IP
addresses. This information can be used to map networks and
should be explicitly disabled on interfaces to untrusted
networks.
- ICMP mask reply: This service is
disabled by default. When enabled, this service tells the
router to respond to ICMP mask requests by sending ICMP mask
reply messages that contain the interface IP address mask. This
information can be used to map the network, and this service
should be explicitly disabled on interfaces to untrusted
networks.
- Terminal access security:
- IP identification service: This service is enabled
by default. The identification protocol (specified in RFC 1413)
reports the identity of a TCP connection initiator to the
receiving host. This data can be used by an attacker to gather
information about your network, and this service should be
disabled.
- TCP keepalives: This service is
disabled by default. TCP keepalives help “clean up” TCP
connections where a remote host has rebooted or otherwise
stopped processing TCP traffic. Keepalives should be enabled