You are on page 1of 5

Chrisserafin.

com; in addition to monitoring Cisco's vulnerabilities and exploits; wishes to


provide simple, no nonsense, quick tutorials to get the job done. In the world of Cisco,
there are varying degrees of Cisco knowledge out in the IT world. Some people are
CCIE's; some people manage 1 Cisco router for their organization.

Tutorial: How to secure / disable unneeded, legacy, insecure protocols


on a Cisco perimeter router.

Objective:
• Disable old services
• Disable / configure insecure services – old protocols can become a
hazard and an added threat to your infrastructure's compromise

Steps:
1. Disable ICMP messages on the interfaces
2. Disable Multicast Route Caching
3. Disable Cisco Discovery Protocol
4. Disable / control HTTP access
5. Disable / control SNMP access
6. Disable Small Services
7. The QUICK N DIRTY Script

1. Disable ICMP messages on the router interfaces


Disable the automatic generation of ICMP, or ping, messages to
untrusted or public networks. By default, ICMP automatically
generates Redirect, Host Unreachable, and Mask Reply message.
Intruders can intercept these messages and expose the network
topology. Enter the following commands to disable these ICMP
messages:

Commands, done in interface config mode:


No ip redirects
No ip unreachables
No ip mask-reply

2. Disable Multicast Route Caching


Disable multicast route caching on the outside interface by entering
the following command.

Commands, done in interface config mode:


no ip mroute-cache

3. Disable Cisco Discovery Protocol


Cisco Discovery Protocol leaks a ton of information when it
broadcasts packets out. Don’t disable this service if you are running a
Cisco VoIP network, as the phones and switches communicate via
CDP.

Commands, done in interface config mode:


No cdp enable

4. Disable / control HTTP access


Controlling HTTP access is of utmost importance, as it is one of the
best ways to root a Cisco router/switch.

To completely shut off the HTTP server:


router(config)# No ip http server
router(config)# No ip http secure-server

To limit access to HTTP server:


router(config)# Ip http server
router(config)# access-list 1 permit 192.168.1.0 0.0.0.255
<192.168.1.0 = allowed address>
router(config)# ip http access-class 1

Other HTTP server and secure-server commands:

router(config)#ip http ?
access-class Restrict http server access by access-class
authentication Set http server authentication method
client Set http client parameters
max-connections Set maximum number of concurrent http server
connections
path Set base path for HTML
port Set http server port
secure-ciphersuite Set http secure server ciphersuite
secure-client-auth Set http secure server with client
authentication
secure-port Set http secure server port number for listening
secure-server Enable HTTP secure server
secure-trustpoint Set http secure server certificate trustpoint
server Enable http server
timeout-policy Set http server time-out policy parameters

5. Disable / control SNMP


Outside of enabling HTTP on the router, hacking SNMP is also one of
the best ways to root a Cisco router/switch. SNMP runs on port 161
UDP, and should not be considered secure unless using SNMPv3;
which uses authentication and encryption. You should never let
SNMP, syslog, or telnet traffic traverse the Internet, unless over VPN.
Configuring SNMP will be a separate lab.

router(config)# No snmp-server

Useful show / debug SNMP commands:


router# Show snmp

6. Disabling Small Services


Most routers support a multitude of small services that may or may
not be needed or used by an organization. These small services should
be disabled, unless specifically needed. Most of these are legacy
services, although CDP and NTP are still important.

router(config)# No service tcp-small-servers


router(config)# No service udp-small-servers
router(config)# No service finger
router(config)# No ntp
router(config)# No cdp run

7. The Quick N Dirty Script


Here is a Quick script you can use to blast through the configs, just
edit the sample below to your network's specifics. Done in configure
terminal mode:
!Under each interface:
No ip redirects
No ip unreachables
No ip mask-reply
no ip mroute-cache
No cdp enable

!To disable HTTP/s all together - Under config t mode :


No ip http server
No ip http secure-server

!To enable HTTP/s - Under config t mode :


Ip http server
access-list 1 permit 192.168.1.0 0.0.0.255|<192.168.1.0 = allowed
address>
ip http access-class 1

!Disable SNMP all together :


no snmp-server

!Disable Bullshit Services :


No service tcp-small-servers
No service udp-small-servers
No service finger
No ntp
No cdp run