07-07-2006 11:15 AM - edited 03-09-2019 03:31 PM
Besides encryption, ACLs, and authorization, there are additional commands we can configure on our perimeter routers to limit access to it. By default, the Cisco IOS runs some services that are unnecessary to its normal operation, and if we don't disable them, they can be easy targets for DoS attacks and break-in attempts.
Plus, if we just use a Cisco router's default settings, it won't check routing paths to stop illegitimate traffic, and ARP traffic will be allowed to pass through its interfaces. We'll now look at how to turn off these unneeded services.
Lab_B(config)#no service tcp-small-servers
Lab_B(config)#no service udp-small-servers
Lab_B(config)#no service finger
Lab_B(config)#no ip boot server
Lab_B(config)#no service config
Lab_B(config)#no ip source-route
Lab_B(config)#interface s0/0
Lab_B(config-if)#no ip proxy-arp
Lab_B(config)#no ip forward-protocol udp 69
Lab_B(config)#no ip forward-protocol udp 53
Lab_B(config)#no ip forward-protocol udp 37
Lab_B(config)#no ip forward-protocol udp 137
Lab_B(config)#no ip forward-protocol udp 138
Lab_B(config)#no ip forward-protocol udp 68
Lab_B(config)#no ip forward-protocol udp 49
Guys, I want to know that,shall i disable all the above cited default service in cisco 1811 router or its already disabled...
Please need your valuable suggestion on the same.
Regards,
Khan
07-07-2006 11:35 AM
Hello Khan,
So of those services are disabled by default. There is no harm turning off a feature that is already disabled. If you want more information, there is a nice on-line security training module
Securing Cisco Routers - Computer Based Training
Securing Cisco Routers (SECR) v1.0 teaches the top ten steps to improving Cisco router security. It combines an updated version of the popular Cisco Router Security (CRS) course with the new Advanced Cisco Router Security (ACRS) course.
Based on industry best practices and the newest in Cisco IOS security features, SECR contains tutorials, animations, and configuration examples that teach you how to configure Cisco routers to ensure maximum device security. Practice what you learn in a safe training environment through e-lab simulations of the Cisco IOS software command-line interface. Finally, test your knowledge using the built-in assessment quizzes.
Hope that helps! If so, please rate.
Thanks
07-08-2006 06:23 PM
I have one small follow-up. While you may choose to disable proxy arp the example given is flawed:
Lab_B(config)#interface s0/0
Lab_B(config-if)#no ip proxy-arp
There is no ARP and no proxy-arp on serial interfaces. This would make much more sense on an Ethernet or FastEthernet interface.
One other suggestion is that on outward facing interfaces you may want to configure no ip unreachable.
HTH
Rick
07-10-2006 02:13 AM
Also, you won't close port 67 on the router unless you also do a "no service dhcp".
Andrew.
07-10-2006 11:34 AM
Guys,
With regards to the ?no ip proxy-arp? on Ethernet or FastEthernet interface, what exactly it does? Please advice.
Lab_B(config)#no service config ( we do not have any configuration server in our network from where we can download configuration file)
I have found that we need to configure the Exec-timeout Command is used to drop an idle Exec session after the idle time specified in minutes and second occurs. The exec command enables or disables access to the EXEC process for line.
exec-timeout 5 0
And no tcp-keepalives-in and out generates keepalive packets on idle outgoing network connections (initiated by a user). To disable the keepalives, use the no form of this command
What are the other commands which we need to implement on our perimeter router for enhance the security?
Your true assistance will be highly appreciated.
07-10-2006 01:21 PM
Waiting for your valuable suggestion on the same.
07-10-2006 02:06 PM
One more question is that i am using NAT, so is this necessary to apply this command on ethernet interface "no proxy-arp" just want to make sure before applying this command in real network..
Please advice.
Regards,
Khan.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: