Monday, February 8, 2010

Device hardening

The list of enabled by default, but unnecessary services, which should be disabled:
  1. BOOTP server (config)# no ip bootp server
  2. Cisco Discovery Protocol (CDP). Should be disabled globally or on outside interfaces  (config)# no cdp run   (config-if)# no cdp enable
  3. Packet assembler/disassembler (PAD) service (config)# no service pad
  4. Maintenance Operation Protocol (MOP) service (config-if)# no mop enabled
  5. Simple Network Management Protocol (SNMP) (config)# no snmp-server enable
  6. Domain Name Service (DNS). Cisco routers use 255.255.255.255 as the default address to reach a DNS server for name resolution. If not used, this service should be disabled. If needed, explicitly set the address of the DNS server. (config)# no ip domain-lookup
  7. ICMP Redirects. This service causes the router to send an ICMP redirect message when a packet is forwarded out the interface it arrived on. An attacker can use such information to redirect packets to an untrusted device. This service should be disabled when not needed. (config)# no ip icmp redirect
    (config-if)# no ip redirects
  8. IP Source Routing. This service allows the sender to control the route that a packet travels through a network. Such a service can permit an attacker to bypass the normal forwarding path and security mechanisms in a network. Because most network devices should not attempt to dictate their preferred path through the network, this service should be disabled. (config)# no ip source-route
  9. Finger service. The finger protocol (port 79) retrieves a list of users from a network device, which includes the line number, connection name, idle time, and terminal location. Such information is also seen in the show users Cisco IOS command, and can be used for reconnaissance attacks. This service should be disabled when not needed. (config)# no service finger
  10. ICMP unreachable notification. This service notifies a sender of invalid destination IP subnets or specific addresses. Such information can be used to map a network. Thisservice should be disabled.(config-if)# no ip unreachables
  11. IP identification service. The identification protocol (RFC 1413) reports the identity of the TCP connection initiator. Such information can be used in reconnaissance attacks. This service should be disabled. (config)# no ip identd
  12. TCP keepalives. TCP keepalives help clean up TCP connections when a remote host has stopped processing TCP packets (such as after a reboot). This service should be enabled to help prevent certain DoS attacks. Disabled by default. To enable this service, enter (config)# service tcp-keepalives-in. (config)# service tcpkeepalives-out
  13. Gratuitous ARP. This service is the primary means used in ARP poisoning attacks. Unless needed, this service should be disabled. (config)# no ip arp gratuitous
  14. Proxy ARP This service permits the router to resolve Layer 2 addresses. This feature is only useful if the router is acting as a Layer 2 bridge. Because this is unlikely in modern networks, this service should be disabled. (config)# no ip arp proxy

No comments:

Post a Comment