Scribd Logo
Upload

Welcome to Scribd!

  • Cisco - Asegurando Router Old Services

    Uploaded by

    Fabian Molina Azocar
    36 views5 pages
    Tutorial: disable unneeded, legacy, insecure protocols on a Cisco perimeter router. Disable ICMP messages on the interfaces; Disable Multicast Route Caching. Disabling http access is one of the best ways to root a Cisco router / switch.

    Original Description:

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Tutorial: disable unneeded, legacy, insecure protocols on a Cisco perimeter router. Disable ICMP messages on the interfaces; Disable Multicast Route Caching. Disabling http access is one of the best ways to root a Cisco router / switch.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    36 views5 pages

    Cisco - Asegurando Router Old Services

    Uploaded by

    Fabian Molina Azocar
    Tutorial: disable unneeded, legacy, insecure protocols on a Cisco perimeter router. Disable ICMP messages on the interfaces; Disable Multicast Route Caching. Disabling http access is one of the best ways to root a Cisco router / switch.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 5

    Chrisserafin.

    com; in addition to monitoring Cisco's vulnerabilities and exploits; wishes to


    provide simple, no nonsense, quick tutorials to get the job done. In the world of Cisco,
    there are varying degrees of Cisco knowledge out in the IT world. Some people are
    CCIE's; some people manage 1 Cisco router for their organization.

    Tutorial: How to secure / disable unneeded, legacy, insecure protocols


    on a Cisco perimeter router.

    Objective:
    • Disable old services
    • Disable / configure insecure services – old protocols can become a
    hazard and an added threat to your infrastructure's compromise

    Steps:
    1. Disable ICMP messages on the interfaces
    2. Disable Multicast Route Caching
    3. Disable Cisco Discovery Protocol
    4. Disable / control HTTP access
    5. Disable / control SNMP access
    6. Disable Small Services
    7. The QUICK N DIRTY Script

    1. Disable ICMP messages on the router interfaces


    Disable the automatic generation of ICMP, or ping, messages to
    untrusted or public networks. By default, ICMP automatically
    generates Redirect, Host Unreachable, and Mask Reply message.
    Intruders can intercept these messages and expose the network
    topology. Enter the following commands to disable these ICMP
    messages:

    Commands, done in interface config mode:


    No ip redirects
    No ip unreachables
    No ip mask-reply

    2. Disable Multicast Route Caching


    Disable multicast route caching on the outside interface by entering
    the following command.

    Commands, done in interface config mode:


    no ip mroute-cache

    3. Disable Cisco Discovery Protocol


    Cisco Discovery Protocol leaks a ton of information when it
    broadcasts packets out. Don’t disable this service if you are running a
    Cisco VoIP network, as the phones and switches communicate via
    CDP.

    Commands, done in interface config mode:


    No cdp enable

    4. Disable / control HTTP access


    Controlling HTTP access is of utmost importance, as it is one of the
    best ways to root a Cisco router/switch.

    To completely shut off the HTTP server:


    router(config)# No ip http server
    router(config)# No ip http secure-server

    To limit access to HTTP server:


    router(config)# Ip http server
    router(config)# access-list 1 permit 192.168.1.0 0.0.0.255
    <192.168.1.0 = allowed address>
    router(config)# ip http access-class 1

    Other HTTP server and secure-server commands:

    router(config)#ip http ?
    access-class Restrict http server access by access-class
    authentication Set http server authentication method
    client Set http client parameters
    max-connections Set maximum number of concurrent http server
    connections
    path Set base path for HTML
    port Set http server port
    secure-ciphersuite Set http secure server ciphersuite
    secure-client-auth Set http secure server with client
    authentication
    secure-port Set http secure server port number for listening
    secure-server Enable HTTP secure server
    secure-trustpoint Set http secure server certificate trustpoint
    server Enable http server
    timeout-policy Set http server time-out policy parameters

    5. Disable / control SNMP


    Outside of enabling HTTP on the router, hacking SNMP is also one of
    the best ways to root a Cisco router/switch. SNMP runs on port 161
    UDP, and should not be considered secure unless using SNMPv3;
    which uses authentication and encryption. You should never let
    SNMP, syslog, or telnet traffic traverse the Internet, unless over VPN.
    Configuring SNMP will be a separate lab.

    router(config)# No snmp-server

    Useful show / debug SNMP commands:


    router# Show snmp

    6. Disabling Small Services


    Most routers support a multitude of small services that may or may
    not be needed or used by an organization. These small services should
    be disabled, unless specifically needed. Most of these are legacy
    services, although CDP and NTP are still important.

    router(config)# No service tcp-small-servers


    router(config)# No service udp-small-servers
    router(config)# No service finger
    router(config)# No ntp
    router(config)# No cdp run

    7. The Quick N Dirty Script


    Here is a Quick script you can use to blast through the configs, just
    edit the sample below to your network's specifics. Done in configure
    terminal mode:
    !Under each interface:
    No ip redirects
    No ip unreachables
    No ip mask-reply
    no ip mroute-cache
    No cdp enable

    !To disable HTTP/s all together - Under config t mode :


    No ip http server
    No ip http secure-server

    !To enable HTTP/s - Under config t mode :


    Ip http server
    access-list 1 permit 192.168.1.0 0.0.0.255|<192.168.1.0 = allowed
    address>
    ip http access-class 1

    !Disable SNMP all together :


    no snmp-server

    !Disable Bullshit Services :


    No service tcp-small-servers
    No service udp-small-servers
    No service finger
    No ntp
    No cdp run

    You might also like