Header GIF
Site is Under Maintenance
Please come back again in...
00 Days
00 Hours
00 Minutes
00 Seconds
Home
• cisco ios •
• hardening + security •

Hardening Cisco IOS Features

Recently I found an overview of some IOS features that you might encounter on Cisco routers. Some of them are enabled by default and could cause a security risk. It’s a good idea to check if any of these are running on your network and perhaps you want to disable them.

  • CDP (Cisco Discovery Protocol) or LLDP (Link Layer Discovery Protocol). You are probably familiar with CDP or LLDP. It’s very useful to discover (Cisco) neighbor devices but it also gives away a lot of information like your (router) model, IP address, IOS version etc. If you don’t use it it’s better to disable it globally or on certain interfaces.
  • TCP Small ServersThese are some TCP standard network services like echo. Disable it.
  • UDP Small Servers: Same for UDP. Best to disable it.
  • FingerUser lookup service, originally for Unix. Can be used remotely to list logged-in users. Nobody needs to know this kind of information remotely…
  • HTTP Server: Very nice for in a lab but not a good idea in a production environment.
  • BootP ServerAllows other routers to boot from this router. Hardly ever used.
  • Configuration auto-loadingYour router will try to boot up from a TFTP, I’ve only used this once, so my regular 2600s could boot the XM image in a lab. Not gonna use it in production.
  • PAD ServiceRouter will support X.25. Not gonna use it.
  • IP Source Routing: Allows the creator of an IP packet to choose the route. You don’t want this.
  • Proxy ARPYour router will answer (proxy) for L2 ARP requests, normally you don’t need this.
  • IP Directed BroadcastsAllows you to send packets to the broadcast address of another subnet, and allows “smurf attacks.” Used for DOS attacks…so disable this.
  • IP Unreachable NotificationsYour router will notify a sender of incorrect IP addresses, and gives away information.
  • IP Mask ReplyRouter will send the subnet mask of an interface in response to an ICMP mask request, giving away information.
  • IP RedirectsYour router will send an ICMP redirect in response to some router IP packets.
  • Maintenance Operations Protocol (MOP): Old management protocol, part of DECnet.
  • NTP ServiceYour router can become a time server, perhaps unnecessary.
  • SNMPIf you don’t use SNMP, I’d suggest disabling/blocking it.
  • DNSRouters can perform DNS lookups. If you don’t use this, I’d disable it.

Is there anything else that you miss on this list? Please let me know! 

Good luck securing your routers!

Rate This Article

Thanks for reading: Hardening Cisco IOS Features, Sorry, my English is bad:)

Getting Info...

About the Author

I'm Aevon...Just a gal with an insane passion for all things cybersecurity. 17 years in the industry and still love what I'm doing.
#• cisco ios • #• hardening + security • #• WAN •

Post a Comment

Cookie Consent
We serve cookies on this site to analyze traffic, remember your preferences, and optimize your experience.
More Details
Oops!
It seems there is something wrong with your internet connection. Please connect to the internet and start browsing again.
AdBlock Detected!
We have detected that you are using adblocking plugin in your browser.
The revenue we earn by the advertisements is used to manage this website, we request you to whitelist our website in your adblocking plugin.
Site is Blocked
Sorry! This site is not available in your country.