1 - 6

CCNP: Implementing Secure Converged Wide-area Networks v5.0 - Lab 5-3

Copyright

© 2007, Cisco Systems, Inc

Lab 5.3 Disabling Unneeded Services

Learning Objectives

• Identify and disable unneeded and insecure services on a router

• Enable TCP keepalives

Topology Diagram

Scenario

In this lab, you will disable unneeded services on a router. SDM one-step
lockdown or AutoSecure will disable many of the same services. This lab only
requires one router.

Step 1: Configure the Physical Interface

Because this lab uses only one router, you will simulate an active FastEthernet
connection by activating the interface and applying the no keepalive command
to initiate an “always up” state, regardless of the existence of a device at the
remote end. Normally, you would not use the no keepalive command on a
routed interface, except in special circumstances. In this lab, you will use it only
for simulation purposes.

Configure the R1 physical interface using the IP address shown in the topology
diagram. Use the no keepalive command in interface configuration mode, and
then use the no shutdown command to activate the interface. Because you
have disabled keepalives, the interface status displays as link state (Layer 1)
and line protocols state (Layer 2) “up,” even if it is not connected to an external
device.

R1(config)# interface fastethernet0/0
R1(config-if)# ip address 192.168.10.1 255.255.255.0
R1(config-if)# no keepalive
R1(config-if)# no shutdown

Step 2: Ensure Services Are Disabled

Some services are disabled by default on more recent Cisco IOS releases, so
you do not necessarily have to disable them. However, it is helpful to know the
commands in case they are enabled and affect security. These commands are
especially useful if you have older versions of the IOS that you are using.

The no ip finger command replaces the no service finger command. Both
disable the finger service, which allows remote users or systems to identify
users connected to the local router’s terminal lines or who have active running
processes.

R1(config)# no ip finger

How could the enabling of the finger service pose a security risk?

The no service udp-small-servers and no service tcp-small-servers
commands disable UDP and TCP small servers, such as echo and discard. The
small servers are not needed in most environments.

R1(config)# no service udp-small-servers
R1(config)# no service tcp-small-servers

The TCP and UDP small servers are enabled by default on Cisco IOS Release
11.2 and earlier. They are disabled by default on Cisco IOS Release 11.3 and
later.

It is recommended that you do not enable these services, unless it is absolutely
necessary. These services could be exploited indirectly to gain information
about the target system, or exploited directly with a fraggle attack, which uses
UDP echo.

1

Also, if a sender transmits a volume of fake requests for UDP

diagnostic services on the router, the requests could consume all CPU
resources.

Step 3: Manage Router Access

Name two popular TCP protocols that network administrators use to manage to
network devices.

1

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080149ad6.shtml#topic5

2 - 6

CCNP: Implementing Secure Converged Wide-area Networks v5.0 - Lab 5-3

Copyright

© 2007, Cisco Systems, Inc

Recall that such management applications as telnet and SSH connect to the vty
port on a router. A Cisco router has five vtys configured by default, numbered 0
through 4, to which users connect to access the command-line interface. When
one vty is in use, the next vty port is used. If all vty ports are being used, other
users cannot connect to the device in this way.

Describe how individuals with malicious intent could exploit vty port
functionality.

Describe at least two ways to prevent these type of attacks from occurring.

Enabling TCP keep alives causes the router to generate periodic keep alive
messages, letting it detect and drop broken Telnet connections. This frees up
hung telnet sessions. This functionality also has the additional benefit of
making the router more secure by preventing a hacker from exploiting a hung
telnet session.

To enable TCP keepalive packets on idle connections, use the

service tcp-keepalives-in and service tcp-keepalives-out commands in
global configuration mode.

R1(config)# service tcp-keepalives-in
R1(config)# service tcp-keepalives-out

Step 4: Disable CDP

Cisco Discovery Protocol (CDP) is a great troubleshooting tool, especially on
poorly documented networks. However, it can also leave your network
susceptible to reconnaissance attacks.

CDP is used for some network management functions, but is dangerous
because it allows any system on a directly connected segment to learn that the
router is a Cisco device, and to determine the model number and the Cisco IOS
software version being run. This reconnaissance information can be used to
design attacks against the router.

3 - 6

CCNP: Implementing Secure Converged Wide-area Networks v5.0 - Lab 5-3

Copyright

© 2007, Cisco Systems, Inc

To disable the CDP service globally, use the no cdp run command in global
configuration mode. To disable CDP on a per-interface basis, issue the no cdp
enable command in interface configuration mode.

R1(config)# no cdp run

Step 5: Disable Other Unused Services

Disable the packet assembler/disassembler (PAD) on the router by using the
no service pad command in global configuration mode. PAD translates
between packets and character streams in legacy networks. You should not
need this service in most current IP networks.

R1(config)# no service pad

The BOOTP service is used in networks that have a centralized Cisco IOS
software deployment: One router can be used by other routers to load its
operating system. However, the BOOTP service is seldom used, and it gives a
hacker an opportunity to steal a Cisco IOS image. Therefore, in most situations,
you should disable it using the following command:

R1(config)# no ip bootp server

The most recent Cisco IOS software releases issue the Hypertext Transfer
Protocol (HTTP) to support remote configuration and monitoring. In general,
HTTP access is equivalent to interactive access to the router. The
authentication protocol used for HTTP is equivalent to sending a clear-text
password across the network. Unfortunately, there is no effective provision in
HTTP for challenge-based or one-time passwords. This makes HTTP a
relatively risky choice for router management across the public Internet.

If you choose to use HTTP for router management, use the ip http access-
class command to restrict access to IP addresses. You should also use the ip
http authentication method command to configure authentication. As with
interactive logins, the best choice for HTTP authentication is to issue a
TACACS+ or RADIUS server.

2

In the following example, you choose not to use the IOS web interface. Disable
the Cisco IOS HTTP server with the no ip http server command in global
configuration mode.

R1(config)# no ip http server

The IP protocol supports source routing options that allow the sender of an IP
datagram to control the route that a datagram takes toward its ultimate
destination, and generally the route that any reply takes. These options are
rarely used for legitimate purposes in real networks. Some older IP

2

http://www.cisco.com/warp/public/707/21.html#http

4 - 6

CCNP: Implementing Secure Converged Wide-area Networks v5.0 - Lab 5-3

Copyright

© 2007, Cisco Systems, Inc

implementations do not process source-routed packets properly, and it is
possible to send them datagrams with source routing options in order to crash
machines that run these implementations. The no ip source-route command
discards packets that contain source routing information. You can disable this if
a network is not using source-routing information.

R1(config)# no ip source-route

Gratuitous Address Resolution Protocols (ARPs) are unsolicited ARP requests
and replies that can be generated for several reasons, such as when detecting
IP address conflicts or updating ARP tables after an address change. However,
attackers can use these packets to spoof a valid network device; for example,
an attacker could send out a packet that claims to be the default router. If you
choose to do so, you can disable Gratuitous ARP with the global configuration
command no ip gratuitous-arps.

R1(config)# no ip gratuitous-arps

Step 6: Disabling Unneeded Interface Services

Some commands are used on a per-interface basis to mitigate certain types of
hacker attacks or reconnaissance. Issue the following commands to the R1
FastEthernet0/0 interface.

The no ip redirects command disables IP redirects so that the router does not
send out ICMP redirect messages. These messages occur when a router
routes a packet out the interface that it came in on. The contents of the
message tells the packet sender to send it directly to where the router would
have sent it.

R1(config)# interface fastethernet0/0
R1(config-if)# no ip redirects

The no ip proxy-arp command disables proxy ARPs from the router, which
means that a router can respond to an ARP request for an address on a remote
subnet (with its own MAC address) and take responsibility for the packets
getting to their destination.

R1(config-if)# no ip proxy-arp

The no ip unreachables command prevents the router from sending Internet
Control Message Protocol (ICMP) unreachable messages when it has not
learned a route to a destination. Normally, these are helpful for troubleshooting,
but they can also be involved in reconnaissance or DoS attacks.

R1(config-if)# no ip unreachables

Similarly, directed broadcasts can be used in reconnaissance and DoS attacks.
You can prevent this by using the no ip directed-broadcast command.
Although directed broadcasts are disabled by default in recent Cisco IOS

5 - 6

CCNP: Implementing Secure Converged Wide-area Networks v5.0 - Lab 5-3

Copyright

© 2007, Cisco Systems, Inc

releases, this command is included in the lab because it is a significant security
point. This command makes the router discard packets with a destination
address that is the broadcast address for a specific network. This packet can be
used in a DoS attack. If there is a hacker located at 192.168.1.1 who wants to
attack a host at 192.168.2.2, the hacker can ping 192.168.3.255, which is
sourced from 192.168.2.2. Every host in the 192.168.3.0 /24 subnet will
respond to that ICMP echo request and direct the response to the spoofed
source. In the given case, the spoofed source is the victim of the attack.

R1(config-if)# no ip directed-broadcast

Unnecessary ICMP messages can be sent in response to ICMP mask request
messages. Use the no ip mask-reply command to disable ICMP mask reply
messages.

R1(config-if)# no ip mask-reply

Maintenance Operation Protocol (MOP) is an old DECnet protocol that is not
needed on most current IP networks. To disable it, issue the no mop enable
command. This is enabled by default on Ethernet interfaces only.

R1(config-if)# no mop enabled

Final Configuration

R1#show run
service tcp-keepalives-in
service tcp-keepalives-out
!
hostname R1
!
no ip source-route
no ip gratuitous-arps
!
no ip bootp server
!
interface FastEthernet0/0
ip address 192.168.10.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
no keepalive
no mop enabled
no shutdown
!
no ip http server
!
no cdp run
end

6 - 6

CCNP: Implementing Secure Converged Wide-area Networks v5.0 - Lab 5-3

Copyright

© 2007, Cisco Systems, Inc