Welkom op mijn website!

Vanuit mijn eigen bedrijf RMCS ben ik als freelancer werkzaam in de ICT. Hierbij ben ik voornamelijk bezig met alles op het gebied van systeem- & netwerkbeheer.

Alles wat met Windows Server, Cisco, Linux, Security en Wireless te maken heeft is mijn grote passie. Denk hierbij aan het inrichten van nieuwe netwerken maar ook het trainen van medewerkers om kennis up-to-date te houden.

Voor een overzicht van wat ik voor u kan betekenen nodig ik u uit onder het menu-item "Diensten" te kijken. Onder mijn "Blog" vindt u alles waar ik mij momenteel mee bezig houdt.

René Molenaar
MCSE / CCNA / CCNP / CCSI / CWNA / CWSP / CTT

IOS Features you should disable or restrict

Posted in Weblog on augustus 17, 2010 by Rene Molenaar

I found a nice little overview of some IOS features that are possible on a Cisco router, some of them are enabled by default and possibly a security risk..it's a good idea to check them out and perhaps disable them on your network!

  1. CDP: We all know CDP, the Cisco Discovery Protocol. It's a layer2 protocol that will tell your all the information about your neighboring devices..IP address, hardware, IOS version and so on. If you don't use it, disable it.
  2. TCP Small servers: This is some TCP standard network services like echo, disable it.
  3. UDP Small servers: Same but for UDP, disable it.
  4. Finger: User lookup service, originally for Unix. Can be used remotely to list logged in users. Nobody needs to know this kind of information remotely...
  5. HTTP server: very nice for in a lab (www.gns3vault.com) but not a good idea in a production environment.
  6. Bootp server: Allows other routers to boot from this router, hardly ever used...
  7. Configuration auto-loading: Your router will try to boot up from a TFTP, i've only used this once so my regular 2600's could boot the XM image in a lab...not gonna use it in production.
  8. PAD service: Router will support X.25, not gonna use it.
  9. IP Source routing: allows the creator of an IP packet to choose the route, you don't want this.
  10. Proxy ARP: Your router will answer (proxy) for L2 ARP requests, don't use this.
  11. IP directed broadcasts: Allows you to send packets to the broadcast address of another subnet, allows "smurf attacks". Used for DOS attacks...so disable this.
  12. IP Unreachable notifications: Your router will notify a sender of incorrect IP addresses, gives away information.
  13. IP Mask reply: Router will send the subnet mask of an interface in response to a ICMP mask request, gives away information.
  14. IP Redirects: Your router will send an ICMP redirect in response to some router IP packets.
  15. Maintenance Operations Protocol (MOP): Old management protocol, part of DECNET.
  16. NTP service: Your router can become a time server, perhaps not needed.
  17. SNMP: If you don't use SNMP, I'd suggest to disable/block it.
  18. DNS: Routers can perform DNS lookups, if you don't use this i'd disable it.

Is there anything else that you miss in this list? please let me know!

Good luck securing your routers!

Tags: None

Leave a CommentTrackbackEdit

Plaats reactie


Beveiligingscode
Vernieuwen

René's Nieuwsbrief

Wil je up-to-date blijven met het laatste nieuws over networking, security, wireless en andere gerelateerde zaken? schrijf je nu in op mijn nieuwsbrief!







Trouble with binary/subnetting?

Let me explain you how it works!

click here!