Disabling Unneeded Services
Step 1: Configure the Physical Interface
Because this lab uses only one router, you will simulate an active FastEthernet connection by activating the interface and applying the no keepalive command to initiate an “always up” state, regardless of the existence of a device at the remote end. Normally, you would not use the no keepalive command on a routed interface, except in special circumstances. In this lab, you will use it only for simulation purposes.
Configure the R1 physical interface using the IP address shown in the topology diagram. Use the no keepalive command in interface configuration mode, and then use the no shutdown command to activate the interface. Because you have disabled keepalives, the interface status displays as link state (Layer 1) and line protocols state (Layer 2) “up,” even if it is not connected to an external device.
R1(config)# interface fastethernet0/0
R1(config-if)# ip address 192.168.10.1 255.255.255.0
R1(config-if)# no keepalive
R1(config-if)# no shutdown
Step 2: Ensure Services Are Disabled
Some services are disabled by default on more recent Cisco IOS releases, so you do not necessarily have to disable them. However, it is helpful to know the commands in case they are enabled and affect security. These commands are especially useful if you have older versions of the IOS that you are using.
The no ip finger command replaces the no service finger command. Both disable the finger service, which allows remote users or systems to identify users connected to the local router’s terminal lines or who have active running processes.
R1(config)# no ip finger
How could the enabling of the finger service pose a security risk?
The no service udp-small-servers and no service tcp-small-servers commands disable UDP and TCP small servers, such as echo and discard. The small servers are not needed in most environments.
R1(config)# no service udp-small-servers
R1(config)# no service tcp-small-servers
The TCP and UDP small servers are enabled by default on Cisco IOS Release 11.2 and earlier. They are disabled by default on Cisco IOS Release 11.3 and later.
It is recommended that you do not enable these services, unless it is absolutely necessary. These services could be exploited indirectly to gain information about the target system, or exploited directly with a fraggle attack, which uses UDP echo.[1] Also, if a sender transmits a volume of fake requests for UDP diagnostic services on the router, the requests could consume all CPU resources.
Step 3: Manage Router Access
Name two popular TCP protocols that network administrators use to manage to network devices.
Recall that such management applications as telnet and SSH connect to the vty port on a router. A Cisco router has five vtys configured by default, numbered 0 through 4, to which users connect to access the command-line interface. When one vty is in use, the next vty port is used. If all vty ports are being used, other users cannot connect to the device in this way.
Describe how individuals with malicious intent could exploit vty port functionality.
Describe at least two ways to prevent these type of attacks from occurring.
Enabling TCP keep alives causes the router to generate periodic keep alive messages, letting it detect and drop broken Telnet connections. This frees up hung telnet sessions. This functionality also has the additional benefit of making the router more secure by preventing a hacker from exploiting a hung telnet session. To enable TCP keepalive packets on idle connections, use the service tcp-keepalives-in and service tcp-keepalives-out commands in global configuration mode.
R1(config)# service tcp-keepalives-in
R1(config)# service tcp-keepalives-out
Step 4: Disable CDP
Cisco Discovery Protocol (CDP) is a great troubleshooting tool, especially on poorly documented networks. However, it can also leave your network susceptible to reconnaissance attacks.
CDP is used for some network management functions, but is dangerous because it allows any system on a directly connected segment to learn that the router is a Cisco device, and to determine the model number and the Cisco IOS software version being run. This reconnaissance information can be used to design attacks against the router.
To disable the CDP service globally, use the no cdp run command in global configuration mode. To disable CDP on a per-interface basis, issue the no cdp enable command in interface configuration mode.
R1(config)# no cdp run
Step 5: Disable Other Unused Services
Disable the packet assembler/disassembler (PAD) on the router by using the no service pad command in global configuration mode. PAD translates between packets and character streams in legacy networks. You should not need this service in most current IP networks.
R1(config)# no service pad
The BOOTP service is used in networks that have a centralized Cisco IOS software deployment: One router can be used by other routers to load its operating system. However, the BOOTP service is seldom used, and it gives a hacker an opportunity to steal a Cisco IOS image. Therefore, in most situations, you should disable it using the following command:
R1(config)# no ip bootp server
The most recent Cisco IOS software releases issue the Hypertext Transfer Protocol (HTTP) to support remote configuration and monitoring. In general, HTTP access is equivalent to interactive access to the router. The authentication protocol used for HTTP is equivalent to sending a clear-text password across the network. Unfortunately, there is no effective provision in HTTP for challenge-based or one-time passwords. This makes HTTP a relatively risky choice for router management across the public Internet.
If you choose to use HTTP for router management, use the ip http access-class command to restrict access to IP addresses. You should also use the ip http authentication method command to configure authentication. As with interactive logins, the best choice for HTTP authentication is to issue a TACACS+ or RADIUS server.[2]
In the following example, you choose not to use the IOS web interface. Disable the Cisco IOS HTTP server with the no ip http server command in global configuration mode.
R1(config)# no ip http server
The IP protocol supports source routing options that allow the sender of an IP datagram to control the route that a datagram takes toward its ultimate destination, and generally the route that any reply takes. These options are rarely used for legitimate purposes in real networks. Some older IP implementations do not process source-routed packets properly, and it is possible to send them datagrams with source routing options in order to crash machines that run these implementations. The no ip source-route command discards packets that contain source routing information. You can disable this if a network is not using source-routing information.
R1(config)# no ip source-route
Gratuitous Address Resolution Protocols (ARPs) are unsolicited ARP requests and replies that can be generated for several reasons, such as when detecting IP address conflicts or updating ARP tables after an address change. However, attackers can use these packets to spoof a valid network device; for example, an attacker could send out a packet that claims to be the default router. If you choose to do so, you can disable Gratuitous ARP with the global configuration command no ip gratuitous-arps.
R1(config)# no ip gratuitous-arps
Step 6: Disabling Unneeded Interface Services
Some commands are used on a per-interface basis to mitigate certain types of hacker attacks or reconnaissance. Issue the following commands to the R1 FastEthernet0/0 interface.
The no ip redirects command disables IP redirects so that the router does not send out ICMP redirect messages. These messages occur when a router routes a packet out the interface that it came in on. The contents of the message tells the packet sender to send it directly to where the router would have sent it.
R1(config)# interface fastethernet0/0
R1(config-if)# no ip redirects
The no ip proxy-arp command disables proxy ARPs from the router, which means that a router can respond to an ARP request for an address on a remote subnet (with its own MAC address) and take responsibility for the packets getting to their destination.
R1(config-if)# no ip proxy-arp
The no ip unreachables command prevents the router from sending Internet Control Message Protocol (ICMP) unreachable messages when it has not learned a route to a destination. Normally, these are helpful for troubleshooting, but they can also be involved in reconnaissance or DoS attacks.
R1(config-if)# no ip unreachables
Similarly, directed broadcasts can be used in reconnaissance and DoS attacks. You can prevent this by using the no ip directed-broadcast command. Although directed broadcasts are disabled by default in recent Cisco IOS releases, this command is included in the lab because it is a significant security point. This command makes the router discard packets with a destination address that is the broadcast address for a specific network. This packet can be used in a DoS attack. If there is a hacker located at 192.168.1.1 who wants to attack a host at 192.168.2.2, the hacker can ping 192.168.3.255, which is sourced from 192.168.2.2. Every host in the 192.168.3.0 /24 subnet will respond to that ICMP echo request and direct the response to the spoofed source. In the given case, the spoofed source is the victim of the attack.
R1(config-if)# no ip directed-broadcast
Unnecessary ICMP messages can be sent in response to ICMP mask request messages. Use the no ip mask-reply command to disable ICMP mask reply messages.
R1(config-if)# no ip mask-reply
Maintenance Operation Protocol (MOP) is an old DECnet protocol that is not needed on most current IP networks. To disable it, issue the no mop enable command. This is enabled by default on Ethernet interfaces only.
R1(config-if)# no mop enabled
Final Configuration
R1#show run
service tcp-keepalives-in
service tcp-keepalives-out
!
hostname R1
!
no ip source-route
no ip gratuitous-arps
!
no ip bootp server
!
interface FastEthernet0/0
ip address 192.168.10.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
no keepalive
no mop enabled
no shutdown
!
no ip http server
!
no cdp run
end
Log messages will appear on the router as well as in the Kiwi Syslog Daemon Manager. The reason log messages are generated is because of the logging userinfo command you issued earlier.
R1# disable
*Mar 30 08:42:26.474: %SYS-5-PRIV_AUTH_PASS: Privilege level set to 1 by unknown on console
R1> enable
*Mar 30 08:42:29.686: %SYS-5-PRIV_AUTH_PASS: Privilege level set to 15 by unknown on console
R1#
Figure 5-2: User Information Log Messages from R1
Why it is better to have centralized logging servers rather than only have the routers log locally?
Step 6: Configure Buffered Logging
In cases where you have a small network and do not have a centralized logging server, you may consider buffering logs to a local memory buffer. The commands coincide with those used for the Syslog server.
Issue the logging buffered [bytes] [severity-level] command on R1 to begin buffering to the local buffer. Use the informational level and set the buffer size to 32 KB. Exit global configuration mode, which generates a log message.
R1(config)# logging buffered 32768 informational
R1(config)# exit
R1#
*Mar 30 14:44:56.968: %SYS-5-CONFIG_I: Configured from console by console
Issue the show logging command to get general information about the buffer and view the buffer log.
R1# show logging
Syslog logging: enabled (11 messages dropped, 1 messages rate-limited,
0 flushes, 0 overruns, xml disabled, filtering disabled)
Console logging: level debugging, 54 messages logged, xml disabled,
filtering disabled
Monitor logging: level debugging, 0 messages logged, xml disabled,
filtering disabled
Buffer logging: level informational, 1 messages logged, xml disabled,
filtering disabled
Logging Exception size (4096 bytes)
Count and timestamp logging messages: disabled
No active filter modules.
Trap logging: level informational, 58 message lines logged
Logging to 192.168.10.50(global) (udp port 514, audit disabled, link up), 6 message lines logged, xml disabled,
filtering disabled
Log Buffer (32768 bytes):
*Mar 30 14:44:56.968: %SYS-5-CONFIG_I: Configured from console by console
Exit privileged EXEC mode and then reenter it. This generates some user information messages that are saved to the memory buffer.
R1# disable
*Mar 30 14:45:22.272: %SYS-5-PRIV_AUTH_PASS: Privilege level set to 1 by unknown on console
R1> enable
R1#
*Mar 30 14:45:23.200: %SYS-5-PRIV_AUTH_PASS: Privilege level set to 15 by unknown on console
Display the contents of the internal buffer again with the show logging command.
R1# show logging
Syslog logging: enabled (11 messages dropped, 1 messages rate-limited,
0 flushes, 0 overruns, xml disabled, filtering disabled)
Console logging: level debugging, 56 messages logged, xml disabled,
filtering disabled
Monitor logging: level debugging, 0 messages logged, xml disabled,
filtering disabled
Buffer logging: level informational, 3 messages logged, xml disabled,
filtering disabled
Logging Exception size (4096 bytes)
Count and timestamp logging messages: disabled
No active filter modules.
Trap logging: level informational, 60 message lines logged
Logging to 192.168.10.50(global) (udp port 514, audit disabled, link up), 8 message lines logged, xml disabled,
filtering disabled
Log Buffer (32768 bytes):
*Mar 30 14:44:56.968: %SYS-5-CONFIG_I: Configured from console by console
*Mar 30 14:45:22.272: %SYS-5-PRIV_AUTH_PASS: Privilege level set to 1 by unknown on console
*Mar 30 14:45:23.200: %SYS-5-PRIV_AUTH_PASS: Privilege level set to 15 by unknown on console
Final Configuration
R1# show run
!
hostname R1
!
logging userinfo
logging buffered 32768 informational
!
interface FastEthernet0/0
ip address 192.168.10.1 255.255.255.0
no shutdown
!
logging 192.168.10.50
!
end
Comments
Post a Comment