Network Security(Vulnerable Router Services and Interfaces)


Cisco routers support a large number of network services at layers 2, 3, 4, and 7.Some of these services are application layer protocols that allow users and host processes to connect to the router. Others are automatic processes and settings intended to support legacy or specialized configurations that pose security risks. Some of these services can be restricted or disabled to improve security without degrading the operational use of the router. General security practice for routers should be used to support only the traffic and protocols a network needs.
Most of the services listed in this section are usually not required. The table in the figure describes general vulnerable router services and lists best practices associated to those services.
Turning off a network service on the router itself does not prevent it from supporting a network where that protocol is employed. For example, a network may require TFTP services to backup configuration files and IOS images. This service is typically provided by a dedicated TFTP server. In certain instances, a router could also be configured as a TFTP server. However, this is very unusual. Therefore, in most cases the TFTP service on the router should be disabled.

In many cases, Cisco IOS software supports turning a service off entirely, or restricting access to particular network segments or sets of hosts. If a particular portion of a network needs a service but the rest does not, the restriction features should be employed to limit the scope of the service.
Turning off an automatic network feature usually prevents a certain kind of network traffic from being processed by the router, or prevents it from traversing the router. For example, IP source routing is a little-used feature of IP that can be utilized in network attacks. Unless it is required for the network to operate, IP source routing should be disabled.
Note: CDP is leveraged in some IP Phone implementations. This needs to be considered before broadly disabling the service.
There are a variety of commands that are required to disable services. The show running-config output in the figure provides a sample configuration of various services which has been disabled.
Services which should typically be disabled are listed below. These include:

Small services such as echo, discard, and chargen - Use the no service tcp-small-servers or no service udp-small-servers command.
BOOTP - Use the no ip bootp server command.
Finger - Use the no service finger command.
HTTP - Use the no ip http server command.
SNMP - Use the no snmp-server command.
It is also important to disable services that allow certain packets to pass through the router, send special packets, or are used for remote router configuration. The corresponding commands to disable these services are:
Cisco Discovery Protocol (CDP) - Use the no cdp run command.
Remote configuration - Use the no service config command.
Source routing - Use the no ip source-route command.
Classless routing - Use the no ip classless command.
The interfaces on the router can be made more secure by using certain commands in interface configuration mode:
Unused interfaces - Use the shutdown command.
No SMURF attacks - Use the no ip directed-broadcast command.
Ad hoc routing - Use the no ip proxy-arp command.

SNMP, NTP, and DNS Vulnerabilities
The figure describes three management services which should also be secured. The methods for disabling or tuning the configurations for these services are beyond the scope of this course. These services are covered in the CCNP: Implementing Secure Converged Wide-area Network course.
The descriptions and guidelines to secure these services are listed below.
SNMP
SNMP is the standard Internet protocol for automated remote monitoring and administration. There are several different versions of SNMP with different security properties. Versions of SNMP prior to version 3 shuttle information in clear text. Normally, SNMP version 3 should be used.

NTP
Cisco routers and other hosts use NTP to keep their time-of-day clocks accurate. If possible, network administrators should configure all routers as part of an NTP hierarchy, which makes one router the master timer and provides its time to other routers on the network. If an NTP hierarchy is not available on the network, you should disable NTP.
Disabling NTP on an interface does not prevent NTP messages from traversing the router. To reject all NTP messages at a particular interface, use an access list.

DNS
Cisco IOS software supports looking up hostnames with the Domain Name System (DNS). DNS provides the mapping between names, such as central.mydomain.com to IP addresses, such as 14.2.9.250.
Unfortunately, the basic DNS protocol offers no authentication or integrity assurance. By default, name queries are sent to the broadcast address 255.255.255.255.
If one or more name servers are available on the network, and it is desirable to use names in Cisco IOS commands, explicitly set the name server addresses using the global configuration command ip name-serveraddresses. Otherwise, turn off DNS name resolution with the command no ip domain-lookup. It is also a good idea to give the router a name, using the command hostname. The name given to the router appears in the prompt.

0 comments:

Post a Comment

 

NBA Live Streaming. Copyright 2008 All Rights Reserved Revolution Two Church theme by Brian Gardner Converted into Blogger Template by Bloganol dot com | Distributed by Blogger Templates Blog