Depending on the Cisco IOS version that you are running, many services are enabled by default on your router. Some of these present security issues. This section covers the global services that might or might not be running on your router, and how to disable them.
I highly recommend that you manually or dynamically (with AutoSecure) disable all services that you are not using. I make this recommendation because Cisco has the habit of sometimes enabling or disabling a service automatically in a specific software release. Therefore, I take the more cautious approach and assume that the services are enabled. Plus, you never know what might happen when you upgrade your Cisco IOS. A previous service that was disabled by default might be enabled (by default) in the new release. By disabling these services manually or with AutoSecure, you are protecting yourself from this kind of issue. Never make any assumptions about what is or is not running on your router; always assume the worst-case scenario and disable all services that you are not using.
The Cisco Discovery Protocol (CDP) is a Cisco-proprietary protocol used to share basic device information with another directly connected Cisco device. The media types supported include ATM, Ethernet, FDDI, frame relay, HDLC, PPP, and token ring. CDP messages are generated as multicasts and include the following information about your Cisco IOS device:
The name of your Cisco IOS device (configured with the hostname command)
The hardware platform of the Cisco IOS device, such as a 2600 series router or a 2950 switch
The Cisco IOS software version running on your Cisco IOS device
The hardware capabilities of your Cisco IOS device, such as routing, switching, or bridging
The Layer 3 address of the device
The interface from which the CDP multicast was sent
Example 4-1 shows some of the information that you can see from a neighboring device.
RouterB# show cdp neighbor detail ------------------------- Device ID: RouterA Entry address(es): IP address: 192.168.1.250 Platform: cisco 4500, Capabilities: Router Interface: Ethernet0/0, Port ID (outgoing port): Ethernet0/1 Holdtime : 127 sec Version : Cisco Internetwork Operating System Software IOS (tm) 4500 Software (C4500-J-M), Version 11.3.10, MAINTENANCE INTERIM SOFTWARE Copyright (c) 1986-1997 by cisco Systems, Inc. Compiled Mon 07-Apr-97 19:51 by dschwart <--output omitted-->
As you can see in Example 4-1, the neighboring router, RouterA, has an IP address of 192.168.1.250, is a 4500, was advertising information from Ethernet0/1, and is running Cisco IOS 11.3.10. Normally, CDP is used to test data link layer (Layer 2) connections. If you are receiving CDP information from a neighboring Cisco device, you can be assured that at least Layer 2 is functioning correctly. If you are having Layer 3 connectivity problems, you can see your neighbor's IP address without having to log into the neighbor.
However, a hacker can use CDP information during a reconnaissance attack. The likelihood of this is small because the hacker must be in the same broadcast domain to view the CDP multicast frame. Therefore, I highly recommend that you disable CDP completely on your perimeter router, or at least on the interfaces that connect to public networks, such as your ISP or other sites that you connect to that are not part of your company's security umbrella.
I discuss how to disable CDP globally in this section, and I cover how to disable it on your interfaces later in the chapter. To globally disable CDP, use the configuration in Example 4-2.
Router# show cdp Global CDP information: Sending CDP packets every 60 seconds Sending a holdtime value of 180 seconds Sending CDPv2 advertisements is enabled Router# configure terminal Router(config)# no cdp run Router(config)# exit Router# show cdp % CDP is not enabled Router#
As you can see from this example, after you have disabled CDP with the no cdp run command, you will want to verify that it has been disabled with the show cdp command.
TCP and UDP small servers are services running on ports 19 and lower on a device. All of the services are outdated: They were used a decade ago in UNIX environments to provide basic information such as the date and time (daytime, port 13), to test connectivity (echo, port 7), and to generate a stream of characters (chargen, port 19). Hackers sometimes can use these services to their advantage. For instance, if you have chargen (TCP or UDP 19) enabled on your device, a hacker could send a flood of traffic to this port, creating a DoS attack such as Fraggle. Basically, with chargen enabled, your device would process all this traffic, taking away CPU cycles from other processes, and then just discard the information.
Example 4-3 shows a connection being opened to a router with chargen enabled.
Router# telnet 192.168.1.254 chargen Trying 192.168.1.254, 19 ... Open !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefg !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefgh "#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghi #$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghij <--output omitted-->
As you can see from Example 4-3, a string of characters is repeated continuously. Example 4-4 shows a sample of connecting to the time port.
Router# telnet 192.168.1.254 daytime Trying 192.168.1.254, 13 ... Open Wednesday, September 17, 2003 02:01:09-UTC [Connection to 192.168.1.254 closed by foreign host] Router#
To disable these services on your router, use the configuration in Example 4-5.
Router(config)# no service tcp-small-servers Router(config)# no service udp-small-servers Router(config)# exit Router# telnet 192.168.1.254 daytime Trying 192.168.1.254, 13 ... % Connection refused by remote host Router#
After you have disabled the services, make sure that you test your configuration as shown earlier.
In most current versions of the Cisco IOS, TCP and UDP small servers are disabled. However, do not trust the Cisco IOS default behavior; hard-code these commands to ensure that they are disabled.
Finger is an old UNIX program to determine who is logged into a host. This was used many years ago to determine, without logging into a device, who was logged in. This was useful if you were at a remote site and wanted to see if someone was at his desk before you made a long-distance phone call (I used finger quite often for this purpose).
In today's world, finger is basically a dead application because many other resources, including e-mail and instant-messenger products, can perform this function. Therefore, I recommend disabling this service to limit your exposure: You do not want hackers to know who, if anyone, is logged into your router or gain any valid user IDs for the system.
Example 4-6 shows a simple configuration of verifying that finger is enabled and how to disable it.
Router# telnet 192.168.1.254 finger Trying 192.168.1.254, 79 ... Open Line User Host(s) Idle Location 0 con 0 192.168.1.254 00:00:00 * 6 vty 0 idle 00:00:00 192.168.1.254 Interface User Mode Idle Peer Address [Connection to 192.168.1.254 closed by foreign host] Router# configure terminal Router(config)# no ip finger Router(config)# no service finger Router(config)# exit Router# Router# telnet 192.168.1.254 finger Trying 192.168.1.254, 79 ... % Connection refused by remote host Router#
When executing a finger against a router, the router responds with the output from the show users command. To prevent responses, use the no ip finger command; this disables the finger server. On older Cisco IOS versions, the no service finger command was used. In newer versions of the Cisco IOS, both commands work.
In most current versions of the Cisco IOS, finger is disabled. However, do not trust the Cisco IOS default behavior; hard-code these commands to ensure that finger is disabled.
IdentD (the identification daemon) allows remote devices to query a TCP port for identification purposes. IdentD is defined in RFC 1413 and is an insecure protocol. Its purpose is to help identify a device that a remote device wants to connect to. It is a very simple protocol: A device sends a request to the Ident port (TCP 113), and the destination responds with its identification, such as a host or device name. Some applications, such as SMTP and FTP (at least some of them), use this to help provide some method of authentication.
Unfortunately, IdentD does not provide any real authentication function, and it is useful to a hacker since you can learn information from it. Plus, a hacker easily can spoof this, allowing him to send a bogus reply, for instance, when an e-mail server asks for the identity of the hacker's device using IdentD. Because of these issues with IdentD, you should disable it on a Cisco router. There is no real reason for the router to be establishing a connection to a remote device that is using IdentD as an additional method of authentication verification; likewise, there is no reason for someone else trying to access the router's IdentD process. To disable it, use the following command:
Router(config)# no ip identd
You can test it by Telnetting to port 113. In newer Cisco IOS versions, IdentD is disabled by default.
Sometimes when you are experiencing routing problems, you can take advantage of the IP source routing feature to help troubleshoot the problem. With IP source routing, you can place the actual route that a packet should take in the IP header. Routers then use this information to route the packet to the destination.
Unfortunately, a hacker can use this to his advantage. Figure 4-1 shows an illustration of a hacker using ingenuity to get into your network. In this example, when all devices on the Internet want to get into your network, they send traffic to you through your ISP. You have used a router/firewall to secure your Internet access. However, in this example, you do business with another company, and you want to have a private WAN connection between your two networks. In this example, your router for the private WAN connection is not protected as well as your other router connected to the Internet; you made the colossal mistake of assuming that your partner company was doing a good job in security. The hacker takes advantage of this by using IP source routing to have the Internet and Company A's routers route his traffic through the less protected path, bypassing your main firewall.
As you can see from this example, source routing can create security issues for your network and, therefore, should be disabled on all your routers, including your perimeter router. To disable it, use the following command:
Router(config)# no ip source-route
You can test this by using the Cisco IOS extended ping command and placing source routing information in your ICMP messages. With this command, choose the extended commands option; then choose either strict or loose and enter your source routing information. Strict source routing has the intermediate routers use the exact path specified in the ICMP payload; loose source routing specifies recommended paths for intermediate routers, if these paths are available. Hackers commonly use strict source routing to use alternative, less secure paths into your network. Loose source routing can be used to learn about alternative paths and the layout of your network. To see the actual path that an ICMP packet took to the destination, use the record option (this is useful in troubleshooting).
Your router can function as both an FTP server and a TFTP server. Many administrators use this function to allow a quick copy of a Cisco IOS image from one router to another. I highly recommend that you not use this feature because both FTP and TFTP are insecure protocols. With TFTP, there is no security; with FTP, there is only authentication through a username and password, which is susceptible to eavesdropping attacks. The only way to enable a TFTP server on a router is to specify which file in Flash you want external devices to access. Therefore, this service is disabled unless you explicitly configure it: Do not do so.
By default, the FTP server is disabled on Cisco routers. However, I still recommend executing the following command on your router, to be safe:
Router(config)# no ftp-server enable
Test this by using an FTP client from your PC, and try to establish a connection to your router. Using Microsoft's standard FTP client, I get the following message after configuring the previous command:
C:\> ftp 192.168.1.254 > ftp: connect: Connection refused
If you get any other type of message, you have not disabled FTP on your router successfully.
If you need to copy files to and from your router, I recommend that you use Secure Copy (SCP) instead. This is discussed in Chapter 5, "Authentication, Authorization, and Accounting."
Chapter 3, "Accessing a Router," discussed how to secure HTTP connections to your router. However, I also cautioned against this because of the many things hackers have found that allow them to use web browser?based attacks to gain unauthorized access. You could use HTTP with secure socket layer (HTTPS), which provides better security, but your router still is functioning as a web server, which presents inherent security risks. Remember that managing your router through a web browser requires the user to enter a level-15 password.
The easiest way to test this is to use a web browser and try to access your router. From a router prompt, you also can test it by using the two commands in Example 4-7.
Router# telnet 192.168.1.254 80 Trying 192.168.1.254, 80 ... Open Router# telnet 192.168.1.254 443 Trying 192.168.1.254, 80 ... Open
If you see the word "open" in either connection attempt, the HTTP and/or HTTPS service is running on your router. To disable both of these services, as well as verify that they have been disabled, perform the steps in Example 4-8.
Router(config)# no ip http server Router(config)# no ip http secure-server Router(config)# end Router# telnet 192.168.1.254 80 Trying 192.168.1.254, 80 ... % Connection refused by remote host Router# telnet 192.168.1.254 443 Trying 192.168.1.254, 443 ... % Connection refused by remote host
Instead of using HTTP to manage your router remotely, use the following, in order of preference: VPN, SSH, or HTTPS.
As I mentioned in the previous chapter, SNMP can be used to monitor and administer your Cisco devices remotely. However, SNMP has many security problems, especially in SNMP v1 and v2. To completely disable SNMP on your router, do the following three things:
Remove the default community strings from your router's configuration.
Disable SNMP traps and the system shutdown feature.
Disable the SNMP service.
To see whether any SNMP commands are configured on your router, execute the command in Example 4-9.
Router# show running-config | include snmp Building configuration... snmp-server community public RO snmp-server community private RW Router#
For Cisco IOS 12.0 and earlier, the include parameter will not work, so you must view the configuration and carefully look for snmp-server commands. Example 4-10 shows the configuration that you should use to disable SNMP completely.
Router(config)# no snmp-server community public RO Router(config)# no snmp-server community private RW Router(config)# Router(config)# no snmp-server enable traps Router(config)# no snmp-server system-shutdown Router(config)# no snmp-server trap-auth Router(config)# Router(config)# no snmp-server
The first two commands remove the read-only and read-write community strings. Note that the names of the community strings might be different in your configuration. The next three commands disable SNMP traps, system shutdowns, and authentication traps through SNMP. The last command disables the SNMP service on the router. After you have disabled SNMP, use the show snmp command to verify your configuration, as displayed in Example 4-11.
Router# show snmp %SNMP agent not enabled Router#
In this example, SNMP has been disabled successfully.
Everyone with an Internet connection uses the Domain Name System (DNS) to resolve fully qualified domain names (FQDN) to IP addresses. This is especially important for Internet-based applications. Cisco routers also support name resolution with DNS, as well as static, or manual, resolution.
If you router is using DNS to resolve names, you will see something similar to Example 4-12 in your configuration.
Router(config)# hostname santa santa(config)# ip domain-name claus.gov santa(config)# ip name-server 220.127.116.11 18.104.22.168 santa(config)# ip domain-lookup
As you can see in this example, the router has a name of santa and a domain name of claus.gov. Two name servers are defined, and DNS is enabled (ip domain-lookup). You can use the show hosts command to view your resolved names.
Because DNS has no security mechanisms built into it, it is susceptible to session-hijacking attacks, in which a hacker sends a fake reply before the destination DNS server can respond. If your router gets two responses back, it typically ignores the second one. Therefore, if the hacker's fake response is received first, your hacker is now one step further in implementing his attack. If you are concerned about this, either make sure that the router has a secure path to the DNS server or do not use DNS; instead, use manual resolution. With manual resolution, you disable DNS and then statically define any common host names that you use on your router with the ip host command. To prevent the router from generating DNS queries either to specifically configured DNS servers (ip name-server) or as a local broadcast (when DNS servers were not configured), use the configuration in Example 4-13.
Router# telnet www.quizware.com 80 Translating "www.cisco.com"...domain server (255.255.255.255) Translating "www.cisco.com"...domain server (255.255.255.255) Translating "www.cisco.com"...domain server (255.255.255.255) % Unknown command or computer name, or unable to find computer address Router# configure terminal Router(config)# no ip domain-lookup Router(config)# end Router# telnet www.cisco.com 80 Translating "www.cisco.com" % Unknown command or computer name, or unable to find computer address Router#
In Example 4-13, DNS resolution was enabled, but no DNS servers were configured. Therefore, the router used local broadcasts to resolve the name to an address. After DNS resolution was disabled with the no ip domain-lookup command, the router immediately responded with the "% Unknown command" message, indicating that no resolution was available.
Some router configurations, such as SSH and VPN, require the router to have a host and a domain name; however, the router does not require these for DNS resolution to function correctly.
BootP is an old protocol that was used to assign addressing information to a diskless workstation and, in many cases, load the operating system on the device. In the 1980s and even the early 1990s, the use of diskless workstations was popular because of cost. Most workstations were UNIX based and cost prohibitive, and the same was true of PCs. To overcome the cost burden, many companies deployed diskless workstations. The term diskless workstation describes what it is?a device without a hard drive, but with all of the other components, such as a monitor, CPU, RAM, a NIC, and so on.
The diskless workstation used the BootP protocol to dynamically acquire an IP address, and, in some instances, its operating system. This is sent as a local broadcast to UDP port 67 (the same as DHCP). To accomplish this, a BootP server had to be configured to assign the IP addressing information as well as any requested files. After the diskless workstation booted up, it accessed a workstation or server to run applications. An X-terminal is an example of a diskless workstation.
Cisco routers can function as BootP servers, offering files in Flash memory to requesting devices. BootP should be disabled on your router for these three reasons:
No one really uses it anymore.
No authentication mechanism is built into it. Anyone can request things from the router, and the router will reply with whatever is configured on it.
It is susceptible to DoS attacks by a hacker.
To disable BootP, use the following configuration:
Router(config)# no ip bootp server
The Dynamic Host Configuration Protocol (DHCP) commonly is used in networks today. It allows a device to acquire all of its IP addressing information from a server, including its IP address, subnet mask, domain name, DNS server addresses, WINS server addresses, TFTP server addresses, and other information. Cisco routers can function as both DHCP clients and DHCP servers.
When using a Cisco router as a perimeter router, the only time you should set it up as a DHCP client is if you are connecting it to an ISP through a DSL or cable modem and your ISP is using DHCP to assign you addressing information. Otherwise, you never should set up your router as a DHCP client; a hacker easily can masquerade as a DHCP server and send your router false information. This can lead to DoS and routing attacks.
Likewise, the only time your router should function as a DHCP server is when you use your router in a SOHO environment, where it is basically the only device in the small network that can assign addresses to PCs. If you do this, make sure that you filter port UDP port 67 on your router's external interface; this blocks both DHCP and BootP requests from external people.
In many Cisco IOS versions, the DHCP server is enabled by default. If you do not use this on the router, disable it with the following configuration:
Router(config)# no service dhcp
This prevents the router from acting as a DHCP server or relay agent.
A packet assembler/disassembler (PAD) is used in X.25 networks to provide reliable connections between remote sites. In today's networks, X.25 has lost a lot of market presence to other protocols, such as frame relay, ATM, ISDN, and even Ethernet in providers' WAN and MAN networks.
However, PAD does serve a useful function to a hacker. Assuming that the hacker can gain control of a directly connected device to the router, and if the router is running the PAD service, it will accept PAD connections from anyone. This give the hacker a foothold into your router, where he can use other attacks to gain EXEC access. To disable this service, use the following command:
Router(config)# no service pad
When Cisco routers boot up, they go through various stages of testing, finding the Cisco IOS, and finding a configuration file before you are presented with a CLI prompt. When the router is booting up, it typically goes through five steps:
When finding a Cisco IOS image, assuming that there are no boot system commands in NVRAM, the router looks for the first valid Cisco IOS image in Flash. If there are no Cisco IOS images in Flash, the router performs a TFTP boot, or network boot; it sends out a local broadcast asking for an operating system file from a TFTP server. If this fails, the router loads the Cisco IOS image in ROM (some routers do not support this third option).
Booting a Cisco IOS image from a TFTP server is not a recommended solution for many reasons, including these:
For larger images, it is a very slow process to load the image.
You have no control over which interfaces the router sends the broadcast out; it does it to all active interfaces.
A hacker can take advantage of this process and send his own Cisco IOS image, one with security weaknesses, to the router?or, he can send an invalid image, preventing the router from booting.
Because TFTP is used for this process, there is no security to protect the load process. Therefore, you should not allow your router to use this function. To prevent this, use the following configuration:
Router(config)# no boot network
After the Cisco IOS image has loaded, the router goes out and finds a configuration file. If there is no configuration file in NVRAM, the router can use the System Configuration dialog box to create one, or use the network configuration option: using TFTP broadcasts to find one. As with finding a Cisco IOS image with a TFTP server, this has security risks:
If your configuration file comes from a TFTP server, it is sent across the network in clear text.
A hacker could act as a TFTP server and send his own configuration file to your router, giving him open access to your network.
Therefore, you should disable this feature by using the following command:
Router(config)# no service config