Appendix C

Disabling and Configuring Network Services

By default, the Cisco IOS runs some services that are unnecessary to its normal operation, and if you don’t disable them, they can be easy targets for denial-of-service (DoS) attacks and break-in attempts.

DoS attacks are the most common attacks because they are the easiest to perform. Using software and/or hardware tools such as an intrusion detection system (IDS) and intrusion prevention system (IPS) can both warn and stop these simple, but harmful, attacks. However, if we can’t implement IDS/IPS, there are some basic commands we can use on our router to make them more safe. Keep in mind, though, that nothing will make you completely safe in today’s networks.

Let’s take a look at the basic services we should disable on our routers.

Blocking SNMP Packets

The Cisco IOS default configurations permit remote access from any source, so unless you’re either way too trusting or insane, it should be totally obvious to you that those configurations need a bit of attention. You’ve got to restrict them. If you don’t, the router will be a pretty easy target for an attacker who wants to log in to it. This is where access lists come into the game—they can really protect you.

If you place the following command on the serial0/0 interface of the perimeter router, it’ll stop any SNMP packets from entering the router or the DMZ. (You’d also need to have a permit command along with this list to really make it work, but this is just an example.)

Lab_B(config)#access-list 110 deny udp any any eq snmp
Lab_B(config)#interface s0/0
Lab_B(config-if)#access-group 110 in

Disabling Echo

In case you don’t know this already, small services are servers (daemons) running in the router that are quite useful for diagnostics. And here we go again—by default, the Cisco router has a series of diagnostic ports enabled for certain UDP and TCP services, including echo, chargen, and discard.

When a host attaches to those ports, a small amount of CPU is consumed to service these requests. All a single attacking device needs to do is send a whole slew of requests with different, random, phony source IP addresses to overwhelm the router, making it slow down or even fail. You can use the no version of these commands to stop a chargen attack:

Lab_B(config)#no service tcp-small-servers
Lab_B(config)#no service udp-small-servers

Finger is a utility program designed to allow users of Unix hosts on the Internet to get information about each other:

Lab_B(config)#no service finger

This matters because the finger command can be used to find information about all users on the network and/or the router. It’s also why you should disable it. The finger command is the remote equivalent to issuing the show users command on the router.

Here are the TCP small services:

Echo Echoes back whatever you type. Type the command telnet x.x.x.x echo ? to see the options.
Chargen Generates a stream of ASCII data. Type the command telnet x.x.x.x chargen ? to see the options.
Discard Throws away whatever you type. Type the command telnet x.x.x.x discard ? to see the options.
Daytime Returns the system date and time, if correct. It is correct if you are running NTP or have set the date and time manually from the EXEC level. Type the command telnet x.x.x.x daytime ? to see the options.

The UDP small services are as follows:

Echo Echoes the payload of the datagram you send.
Discard Silently pitches the datagram you send.
Chargen Pitches the datagram you send and responds with a 72-character string of ASCII characters terminated with a CR+LF.

Turning off BootP and Auto-Config

Again, by default, the Cisco router also offers BootP service as well as remote auto-configuration. To disable these functions on your Cisco router, use the following commands: 

Lab_B(config)#no ip boot server
Lab_B(config)#no service config

Disabling the HTTP Interface

The ip http server command may be useful for configuring and monitoring the router, but the cleartext nature of HTTP can obviously be a security risk. To disable the HTTP process on your router, use the following command:

Lab_B(config)#no ip http server

To enable an HTTP server on a router for AAA, use the global configuration command ip http server.

Disabling IP Source Routing

The IP header source-route option allows the source IP host to set a packet’s route through the IP network. With IP source routing enabled, packets containing the source-route option are forwarded to the router addresses specified in the header. Use the following command to disable any processing of packets with source-routing header options:

Lab_B(config)#no ip source-route

Disabling Proxy ARP

Proxy ARP is the technique in which one host—usually a router—answers ARP requests intended for another machine. By “faking” its identity, the router accepts responsibility for getting those packets to the “real” destination. Proxy ARP can help machines on a subnet reach remote subnets without configuring routing or a default gateway. The following command disables proxy ARP:

Lab_B(config)#interface fa0/0
Lab_B(config-if)#no ip proxy-arp

Apply this command to all your router’s LAN interfaces.

Disabling Redirect Messages

ICMP redirect messages are used by routers to notify hosts on the data link that a better route is available for a particular destination. To disable the redirect messages so bad people can’t draw out your network topology with this information, use the following command:

Lab_B(config)#interface s0/0
Lab_B(config-if)#no ip redirects

Apply this command to all your router’s interfaces. However, just understand that if this is configured, legitimate user traffic may end up taking a suboptimal route. Use caution when disabling this command.

Disabling the Generation of ICMP Unreachable Messages

The no ip unreachables command prevents the perimeter router from divulging topology information by telling external hosts which subnets are not configured. This command is used on a router’s interface that is connected to an outside network:

Lab_B(config)#interface s0/0
Lab_B(config-if)#no ip unreachables

Again, apply this to all the interfaces of your router that connect to the outside world.

Disabling Multicast Route Caching

The multicast route cache lists multicast routing cache entries. These packets can be read, and so they create a security problem. To disable the multicast route caching, use the following command:

Lab_B(config)#interface s0/0
Lab_B(config-if)#no ip mroute-cache

Apply this command to all the interfaces of the router. However, use caution when disabling this command because it may slow legitimate multicast traffic.

Disabling the Maintenance Operation Protocol (MOP)

The Maintenance Operation Protocol (MOP) works at the Data Link and Network layers in the DECnet protocol suite and is used for utility services like uploading and downloading system software, remote testing, and problem diagnosis. So, who uses DECnet? Anyone with their hands up? I didn’t think so. To disable this service, use the following command:

Lab_B(config)#interface s0/0
Lab_B(config-if)#no mop enabled

Apply this command to all the interfaces of the router.

Turning Off the X.25 PAD Service

Packet assembler/disassembler (PAD) connects asynchronous devices like terminals and computers to public/private X.25 networks. Since every computer in the world is pretty much IP savvy, and X.25 has gone the way of the dodo bird, there is no reason to leave this service running. Use the following command to disable the PAD service:

Lab_B(config)#no service pad

Enabling the Nagle TCP Congestion Algorithm

The Nagle TCP congestion algorithm is useful for small packet congestion, but if you’re using a higher setting than the default MTU of 1,500 bytes, it can create an above-average traffic load. To enable this service, use the following command:

Lab_B(config)#service nagle

It is important to understand that the Nagle congestion service can break X Window connections to an X server, so don’t use it if you’re using X Window.

Logging Every Event

Used as a syslog server, the Cisco ACS server can log events for you to verify. Use the logging trap debugging or logging trap level command and the logging ip_address command to turn this feature on:

Lab_B(config)#logging trap debugging
Lab_B(config)#logging 192.168.254.251
Lab_B(config)#exit
Lab_B#sh logging
Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns)
    Console logging: level debugging, 15 messages logged
    Monitor logging: level debugging, 0 messages logged
    Buffer logging: disabled
    Trap logging: level debugging, 19 message lines logged
        Logging to 192.168.254.251, 1 message lines logged

The show logging command provides you with statistics of the logging configuration on the router.

Disabling Cisco Discovery Protocol

Cisco Discovery Protocol (CDP) does just that—it’s a Cisco proprietary protocol that discovers directly connected Cisco devices on the network. But because it’s a Data Link layer protocol, it can’t find Cisco devices on the other side of a router. Plus, by default, Cisco switches don’t forward CDP packets, so you can’t see Cisco devices attached to any other port on a switch.

When you are bringing up your network for the first time, CDP can be a really helpful protocol for verifying it. But since you’re going to be thorough and document your network, you don’t need the CDP after that. And because CDP does discover Cisco routers and switches on your network, you should disable it. You do that in global configuration mode, which turns off CDP completely for your router or switch:

Lab_B(config)#no cdp run

Or, you can turn off CDP on each individual interface using the following command:

Lab_B(config-if)#no cdp enable

Disabling the Default Forwarded UDP Protocols

When you use the ip helper-address command as follows on an interface, your router will forward UDP broadcasts to the listed server or servers:

Lab_B(config)#interface f0/0
Lab_B(config-if)#ip helper-address 192.168.254.251

You would generally use the ip helper-address command when you want to forward DHCP client requests to a DHCP server. The problem is that not only does this forward port 67 (BootP server request), it forwards seven other ports by default as well. To disable the unused ports, use the following commands: 

Lab_B(config)#no ip forward-protocol udp 69
Lab_B(config)#no ip forward-protocol udp 53
Lab_B(config)#no ip forward-protocol udp 37
Lab_B(config)#no ip forward-protocol udp 137
Lab_B(config)#no ip forward-protocol udp 138
Lab_B(config)#no ip forward-protocol udp 68
Lab_B(config)#no ip forward-protocol udp 49

Now, only the BOOTP server request (67) will be forwarded to the DHCP server. If you want to forward a certain port—say, TACACS+, for example—use the following command:

Lab_B(config)#ip forward-protocol udp 49

Cisco’s Auto Secure

Okay, so ACLs seem like a lot of work and so does turning off all those services I just discussed. But you do want to secure your router with ACLs, especially on your interface connected to the Internet. However, you are just not sure what the best approach should be, or maybe you just don’t want to miss happy hour with your buddies because you’re creating ACLs and turning off default services all night long.

Either way, Cisco has a solution that is a good start, and it’s darn easy to implement. The command is called auto secure, and you just run it from privileged mode as shown: 

R1#auto secure
                --- AutoSecure Configuration ---

*** AutoSecure configuration enhances the security of
the router, but it will not make it absolutely resistant
to all security attacks ***

AutoSecure will modify the configuration of your device.
All configuration changes will be shown. For a detailed
explanation of how the configuration changes enhance
security and any possible side effects, please refer to Cisco.com
for Autosecure documentation.
At any prompt you may enter '?' for help.
Use ctrl-c to abort this session at any prompt.

Gathering information about the router for AutoSecure
Is this router connected to internet? [no]: yes
Enter the number of interfaces facing the internet [1]: [enter]
Interface             IP-Address      OK? Method Status                Protocol
FastEthernet0/0       10.10.10.1      YES NVRAM  up                    up
Serial0/0             1.1.1.1         YES NVRAM  down                  down
FastEthernet0/1       unassigned      YES NVRAM  administratively down down
Serial0/1             unassigned      YES NVRAM  administratively down down
Enter the interface name that is facing the internet: serial0/0

Securing Management plane services...

Disabling service finger
Disabling service pad
Disabling udp & tcp small servers
Enabling service password encryption
Enabling service tcp-keepalives-in
Enabling service tcp-keepalives-out
Disabling the cdp protocol

Disabling the bootp server
Disabling the http server
Disabling the finger service
Disabling source routing
Disabling gratuitous arp

Here is a sample Security Banner to be shown
at every access to device. Modify it to suit your
enterprise requirements.

Authorized Access only
  This system is the property of So-&-So-Enterprise.
  UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.
  You must have explicit permission to access this
  device. All activities performed on this device
  are logged. Any violations of access policy will result
  in disciplinary action.

Enter the security banner {Put the banner between
k and k, where k is any character}:
#
If you are not part of the www.globalnettc.com domain, disconnect now!
#
Enable secret is either not configured or
 is the same as enable password
Enter the new enable secret: [password not shown]
% Password too short - must be at least 6 characters. Password configuration 
failed
Enter the new enable secret: [password not shown]
Confirm the enable secret : [password not shown]
Enter the new enable password: [password not shown]
Confirm the enable password: [password not shown]
Configuration of local user database
Enter the username: Todd
Enter the password: [password not shown]
Confirm the password: [password not shown]
Configuring AAA local authentication
Configuring Console, Aux and VTY lines for
local authentication, exec-timeout, and transport
Securing device against Login Attacks
Configure the following parameters
Blocking Period when Login Attack detected: ?
% A decimal number between 1 and 32767.
Blocking Period when Login Attack detected: 100
Maximum Login failures with the device: 5
Maximum time period for crossing the failed login attempts: 10
Configure SSH server? [yes]: [enter to take default of yes]
Enter the domain-name: lammle.com
Configuring interface specific AutoSecure services
Disabling the following ip services on all interfaces:

 no ip redirects
 no ip proxy-arp
 no ip unreachables
 no ip directed-broadcast
 no ip mask-reply
Disabling mop on Ethernet interfaces

Securing Forwarding plane services...

Enabling CEF (This might impact the memory requirements for your platform)
Enabling unicast rpf on all interfaces connected
to internet

Configure CBAC Firewall feature? [yes/no]:
Configure CBAC Firewall feature? [yes/no]: no
Tcp intercept feature is used prevent tcp syn attack
on the servers in the network. Create autosec_tcp_intercept_list
to form the list of servers to which the tcp traffic is to
be observed

Enable tcp intercept feature? [yes/no]:yes

And that’s it—all the services I mentioned earlier are disabled, plus some! By saving the configuration that the auto secure command created, you can then take a look at your running-config to see your new configuration. It’s a long one!

Although it is tempting to run out to happy hour right now, you still need to verify your security and add your internal access-list configurations to your intranet.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.221.140.111