globally to manage TCP connections and prevent certain DoS attacks.
  • Gratuitous and proxy Address Resolution Protocol (ARP):
  • IP directed broadcast: This service is enabled in Cisco IOS software releases prior to Cisco IOS Release 12.0 and disabled in Cisco IOS Release 12.0 and later. IP directed broadcasts are used in the common and popular smurf DoS attack and other related attacks. Disable this service when not required.
    • Router Hardening Considerations
    Leaving unused network services running increases the possibility of malicious exploitation of those services. Turning off or restricting access to these services greatly improves network security. While you are not required to explain why many of these services pose the vulnerabilities that they do, you do need to know how and when the services need to be disabled. The manual process of disabling the services individually is lengthy and error prone because you may overlook some unneeded services that should be disabled. As a result, the manual disabling of services may leave the router vulnerable. Figure lists considerations for hardening routers. AutoSecure, described in the next topic, helps you to secure your Cisco router.
    Content 5.4 Disabling Unused Cisco Router Network Services and Interfaces 5.4.2 Locking Down Routers with AutoSecure The AutoSecure feature was released in Cisco IOS Release 12.3 and later. AutoSecure is a single privileged EXEC program that allows you to eliminate many potential security threats quickly and easily. AutoSecure helps to make you more efficient at securing Cisco routers. Figure lists functions that AutoSecure can do. AutoSecure Operation Modes
    AutoSecure allows two modes of operation as shown in Figure : Interactive mode provides greater control over the router security-related features than noninteractive mode does. However, when you want to quickly secure a router without much human intervention, noninteractive mode becomes the better choice. You can enable noninteractive portions of the dialogue by selecting the optional no-interact keyword. AutoSecure Functions
    AutoSecure allows you to choose which router components to secure. You may want to secure the entire router functionality or select individual planes or functions. The selectable components are the management plane, forwarding plane, firewall, login, NTP, and SSH. Figure lists key AutoSecure Functions. The management plane includes management services, such as finger, PAD, UDP and TCP small servers, password encryption, TCP keepalives, CDP, BOOTP, HTTP, source routing, gratuitous ARP, proxy ARP, ICMP (redirects, mask-replies), directed broadcast, MOP, and banner. This plane also includes login functions, such as password security and failed login attempt actions, and SSH access. The forwarding plane hardening consists of enabling Cisco Express Forwarding (CEF) and configuring ACLs for traffic filtering. The firewall component allows you to activate the Cisco IOS Firewall inspection for common protocols and applications. Login functions include password configuration and setting options for failed login attempts. NTP functionality sets up authenticated NTP connectivity. The SSH feature configures a hostname and a domain-name (if not configured already) and enables SSH access to the protected router. TCP Intercept function enables the TCP intercept feature with default settings. Note
    The full, ntp, login, ssh, firewall, and tcp-intercept keywords were added in Cisco IOS Release 12.3(4)T. When using the full option, the user is prompted for all interactive questions. AutoSecure Failure Rollback Feature
    When AutoSecure fails to complete the security operation, your running configuration may be harmed. AutoSecure has a rollback feature as shown in Figure . You should consider these items to avoid a configuration loss:
    Content 5.4 Disabling Unused Cisco Router Network Services and Interfaces 5.4.3 AutoSecure Process Overview Initiate AutoSecure with the auto secure command in privileged EXEC mode. AutoSecure uses the syntax shown in Figure to provide a level of granularity. To secure all components and functions, select the full option. To avoid configuration prompts, select the no-interact keyword. AutoSecure configures all functions and services in the following order: Step 1 Identify outside interfaces. Step 2 Secure the management plane. Step 3 Create a security banner. Step 4 Configure passwords, authentication, authorization, and accounting (AAA), and SSH. Step 5 Secure the interface settings. Step 6 Secure the forwarding plane. To limit the scope of hardening, use any of the parameters shown in Figure .
    Content 5.4 Disabling Unused Cisco Router Network Services and Interfaces 5.4.4 AutoSecure Processing AutoSecure Step 1: Start and Interface Selection
    The first questions that AutoSecure asks you relate directly to how the router connects to the Internet. If you do not specify any options, as in the example shown in Figure , AutoSecure starts in the interactive mode and proceeds to secure the full scope of services and functions. To start, AutoSecure needs to know the following: AutoSecure Step 2: Securing Management Plane Services
    Next, AutoSecure disables certain router global management services. Figure shows the screen that appears while AutoSecure disables the following services: