Chapter 18: Cisco Device Hardening
Potential Vulnerabilities
Unnecessary Services and Interfaces
-
Disable unused interfaces
-
Disable BOOTP server (
no ip bootp server)
-
Disable CDP (
no cdp run)
-
Disable automatic configuration download (
no service config) (disabled by default)
-
Disable FTP server (
no ftp-server enable) (disabled by default)
-
Disable TFTP server (
no tftp-server enable) (disabled by default)
-
Disable PAD (
no service pad)
-
Disable minor TCP and UDP services (
no service tcp-small-servers and no service udp-small-servers)
-
Disable MOP (
no mop enable) (disabled by default)
Common Management Services
-
Disable SNMP if not used (
no snmp-server enable)
-
Disable HTTP(S) if not used (
no ip http server and/or no ip http secure-server)
-
Disable DNS queries (
no ip domain-lookup)
Path Integrity Mechanisms
-
Disable ICMP redirects (
no ip icmp redirect)
-
Disable IP source routing (
no ip source-route)
Probes and Scans
-
Disable finger service (
no service finger)
-
Disable ICMP unreachables (
no ip unreachables)
-
Disable ICMP mask reply (
no ip mask-reply) (disabled by default)
-
Disable directed broadcasts (
no ip directed-broadcast) (disabled by default)
Terminal Access Security
-
Disable identd (
no ip identd)
-
Enable TCP keepalives (
service tcp-keepalives-in and service tcp-keepalives-out)
Gratuitous and Proxy ARP
-
Disable gratuitous ARP (
no ip arp gratuitous)
-
Disable proxy ARP (
no ip arp proxy)
AutoSecure
Router# auto secure [management | forwarding] [no-interact | full] [login | ntp |
ssh | firewall | tcp-intercept]
One of the best summary I have seen. It make life easier and time well spent. Good job. Gerard
nice work