Vulnerable Router Services and Interfaces


Cisco routers support a large number of network services at layers 2, 3, 4, and 7, as described in the figure. Some of these services are application layer protocols that allow users and host processes to connect to the router. Others are automatic processes and settings intended to support legacy or specialized configurations that pose security risks. Some of these services can be restricted or disabled to improve security without degrading the operational use of the router. General security practice for routers should be used to support only the traffic and protocols a network needs.

Most of the services listed in this section are usually not required. The table in the figure describes general vulnerable router services and lists best practices associated to those services.
Turning off a network service on the router itself does not prevent it from supporting a network where that protocol is employed. For example, a network may require TFTP services to backup configuration files and IOS images. This service is typically provided by a dedicated TFTP server. In certain instances, a router could also be configured as a TFTP server. However, this is very unusual. Therefore, in most cases the TFTP service on the router should be disabled.
In many cases, Cisco IOS software supports turning a service off entirely, or restricting access to particular network segments or sets of hosts. If a particular portion of a network needs a service but the rest does not, the restriction features should be employed to limit the scope of the service.

Turning off an automatic network feature usually prevents a certain kind of network traffic from being processed by the router, or prevents it from traversing the router. For example, IP source routing is a little-used feature of IP that can be utilized in network attacks. Unless it is required for the network to operate, IP source routing should be disabled.
Note: CDP is leveraged in some IP Phone implementations. This needs to be considered before broadly disabling the service.

SNMP, NTP, and DNS Vulnerabilities
The figure describes three management services which should also be secured. The methods for disabling or tuning the configurations for these services are beyond the scope of this course. These services are covered in the CCNP: Implementing Secure Converged Wide-area Network course.
The descriptions and guidelines to secure these services are listed below.
SNMP
SNMP is the standard Internet protocol for automated remote monitoring and administration. There are several different versions of SNMP with different security properties. Versions of SNMP prior to version 3 shuttle information in clear text. Normally, SNMP version 3 should be used.

NTP
Cisco routers and other hosts use NTP to keep their time-of-day clocks accurate. If possible, network administrators should configure all routers as part of an NTP hierarchy, which makes one router the master timer and provides its time to other routers on the network. If an NTP hierarchy is not available on the network, you should disable NTP.
Disabling NTP on an interface does not prevent NTP messages from traversing the router. To reject all NTP messages at a particular interface, use an access list.

DNS
Cisco IOS software supports looking up hostnames with the Domain Name System (DNS). DNS provides the mapping between names, such as central.mydomain.com to IP addresses, such as 14.2.9.250.
Unfortunately, the basic DNS protocol offers no authentication or integrity assurance. By default, name queries are sent to the broadcast address 255.255.255.255.
If one or more name servers are available on the network, and it is desirable to use names in Cisco IOS commands, explicitly set the name server addresses using the global configuration command ip name-serveraddresses. Otherwise, turn off DNS name resolution with the command no ip domain-lookup. It is also a good idea to give the router a name, using the command hostname. The name given to the router appears in the prompt.

0 comments:

Post a Comment

 

NBA Live Streaming. Copyright 2008 All Rights Reserved Revolution Two Church theme by Brian Gardner Converted into Blogger Template by Bloganol dot com | Distributed by Blogger Templates Blog