Cisco IOS features to disable or restrict

Recently I found an overview of some IOS features that you might encounter on Cisco routers. Some of them are enabled by default and could cause a security risk. It’s a good idea to check if any of these are running on your network and perhaps you want to disable them.

  • CDP (Cisco Discovery Protocol) or LLDP (Link Layer Discovery Protocol). You are probably familiar with CDP or LLDP. It’s very useful to discover (Cisco) neighbor devices but it also gives away a lot of information like your (router) model, IP address, IOS version etc. If you don’t use it it’s better to disable it globally or on certain interfaces.
  • TCP Small servers: These are some TCP standard network services like echo. Disable it.
  • UDP Small Servers: Same for UDP. Best to disable it.
  • Finger: User lookup service, originally for Unix. Can be used remotely to list logged-in users. Nobody needs to know this kind of information remotely…
  • HTTP server: very nice for in a lab but not a good idea in a production environment.
  • Bootp server: Allows other routers to boot from this router. Hardly ever used…
  • Configuration auto-loading: Your router will try to boot up from a TFTP, I’ve only used this once, so my regular 2600s could boot the XM image in a lab…not gonna use it in production.
  • PAD service: Router will support X.25. Not gonna use it.
  • IP Source routing: allows the creator of an IP packet to choose the route. You don’t want this.
  • Proxy ARP: Your router will answer (proxy) for L2 ARP requests, normally you don’t need this. Here is an explanation about proxy ARP.
  • IP directed broadcasts: Allows you to send packets to the broadcast address of another subnet, and allows “smurf attacks.” Used for DOS attacks…so disable this.
  • IP Unreachable notifications: Your router will notify a sender of incorrect IP addresses, and gives away information.
  • IP Mask reply: Router will send the subnet mask of an interface in response to an ICMP mask request, giving away information.
  • IP Redirects: Your router will send an ICMP redirect in response to some router IP packets.
  • Maintenance Operations Protocol (MOP): Old management protocol, part of DECnet.
  • NTP service: Your router can become a time server, perhaps unnecessary.
  • SNMP: If you don’t use SNMP, I’d suggest disabling/blocking it.
  • DNS: Routers can perform DNS lookups. If you don’t use this, I’d disable it.

Is there anything else that you miss on this list? please let me know! Good luck securing your routers!

Tags: ,


Forum Replies

  1. Greetings Rene,
    1stly, thanks for the info… truly useful,
    i do have a suggestion: how about “ip domain-lookup” ? we could disable it 2 prevent some domain-server translations (for time saving purposes)…

  2. Hi Reza,

    “no ip domain-lookup” is a nice feature since it can be very annoying when your router tries to do a DNS lookup when you mistype a command. The list above are mostly security-related features however. “Logging synchronous” is also a nice command that most people like to use.

    Rene

  3. You have to be very careful with ip unreachables - the same issue applies to blanket blocking of ICMP because it’s “best practice”.

    The issue is CERTAIN types of “unreachables” do leak information, but other ICMP “types” (thinking Type 4 “packet to big”) need to be allowed to avoid running into nasty MTU issues.

    I’m still fuzzy on the details of how all the commands interact, but the way we got around this was outbound (and inbound) extended ACLs areas overly filtering “good” icmp from bad.

    Works really well, but one step away from Hayes AT codes in terms of bl

    ... Continue reading in our forum

  4. Hi Rob,

    I agree, just blocking ICMP isn’t a good idea because of MTU path discovery. Thanks for sharing :slight_smile:

    I’ll see if I can write up a post with some debugs and before and after configurations.

    Rene

  5. I prefer to disable DTP.

10 more replies! Ask a question or join the discussion by visiting our Community Forum