Limit Unneeded TCP/IP and Other Services

Limit Unneeded TCP/IP and Other Services

As a general rule, any unnecessary service should be disabled on perimeter routers. The following services are often useful, but should be disabled if they aren’t being used.

TCP and UDP “Small Services”

By default, Cisco devices offer the small services: echo, chargen, and discard. These services, especially their UDP versions, are infrequently used for legitimate purposes, but can be used to launch DoS and other attacks, which would otherwise be prevented by packet filtering.

The small services are disabled by default in Cisco IOS 12.0 and later software. In earlier software, they can be disabled using the no service tcp-small-servers and no service udp-small-servers commands.

Finger

Cisco routers support the “finger” service used to identify which users are logged into a network device. This information can be useful to an attacker. The “finger” service can be disabled with the no service finger command.

NTP

The Network Time Protocol (NTP) isn’t a particularly dangerous feature. If NTP is being used, be sure to configure a trusted time source and use proper authentication. Corrupting the time on network devices can subvert certain security protocols and cause some processes to fail to synchronize or function. If NTP isn’t being used on a particular router interface, it can be disabled with the interface command no ntp enable.

CDP

Cisco Discovery Protocol (CDP) is a fairly useful feature, but on the network perimeter, it can be dangerous because it announces the following to any system on a directly connected segment: that the router is a Cisco device, the model number, and the Cisco IOS version being run. This information could be used to exploit vulnerabilities in the router. The CDP protocol can be disabled with the global configuration command no cdp running. CDP can be disabled on a particular interface with the no cdp enable command.




Part III: Virtual Private Networks (VPNs)