Threat control-Regulates network access, isolates infected systems, prevents intrusions, and protects assets by counteracting malicious traffic,

such as worms and viruses. Devices that provide threat control solutions are: Cisco ASA 5500 Series Adaptive Security Appliances
y y y y

Integrated Services Routers (ISR) Network Admission Control Cisco Security Agent for Desktops Cisco Intrusion Prevention Systems

Most of the services listed in this section are usually not required. The table in the figure describes general vulnerable router services and lists best practices associated to those services. Turning off a network service on the router itself does not prevent it from supporting a network where that protocol is employed. For example, a network may require TFTP services to backup configuration files and IOS images. This service is typically provided by a dedicated TFTP server. In certain instances, a router could also be configured as a TFTP server. However, this is very unusual. Therefore, in most cases the TFTP service on the router should be disabled. In many cases, Cisco IOS software supports turning a service off entirely, or restricting access to particular network segments or sets of hosts. If a particular portion of a network needs a service but the rest does not, the restriction features should be employed to limit the scope of the service. Turning off an automatic network feature usually prevents a certain kind of network traffic from being processed by the router, or prevents it from traversing the router. For example, IP source routing is a little-used feature of IP that can be utilized in network attacks. Unless it is required for the network to operate, IP source routing should be disabled. Note: CDP is leveraged in some IP Phone implementations. This needs to be considered before broadly disabling the service. There are a variety of commands that are required to disable services. The show running-config output in the figure provides a sample configuration of various services which has been disabled. Services which should typically be disabled are listed below. These include: Small services such as echo, discard, and chargen - Use the no service tcp-small-servers or no service udp-small-servers command. y BOOTP - Use the no ip bootp server command.

y y y

Finger - Use the no service finger command. HTTP - Use the no ip http server command. SNMP - Use the no snmp-server command.

It is also important to disable services that allow certain packets to pass through the router, send special packets, or are used for remote router configuration. The corresponding commands to disable these services are:
y y y y

Cisco Discovery Protocol (CDP) - Use the no cdp run command. Remote configuration - Use the no service config command. Source routing - Use the no ip source-route command. Classless routing - Use the no ip classless command.

The interfaces on the router can be made more secure by using certain commands in interface configuration mode:
y y y

Unused interfaces - Use the shutdown command. No SMURF attacks - Use the no ip directed-broadcast command. Ad hoc routing - Use the no ip proxy-arp command.

SNMP, NTP, and DNS Vulnerabilities The methods for disabling or tuning the configurations for these services are beyond the scope of this course. These services are covered in the CCNP: ImplementingSecure Converged Wide-area Network course. The descriptions and guidelines to secure these services are listed below. SNMP SNMP is the standard Internet protocol for automated remote monitoring and administration. There are several different versions of SNMP with different security properties. Versions of SNMP prior to version 3 shuttle information in clear text. Normally, SNMP version 3 should be used. NTP Cisco routers and other hosts use NTP to keep their time-of-day clocks accurate. If possible, network administrators should configure all routers as part of an NTP hierarchy, which makes one router the master timer and provides its time to other routers on the network. If an NTP hierarchy is not available on the network, you should disable NTP. Disabling NTP on an interface does not prevent NTP messages from traversing the router. To reject

all

NTP

messages

at

particular

interface,

use

an

access

list.

DNS Cisco IOS software supports looking up hostnames with the Domain Name System(DNS). DNS provides the mapping between names, such as central.mydomain.com toIP addresses, such as 14.2.9.250. Unfortunately, the basic DNS protocol offers no authentication or integrity assurance. By default, name queries are sent to the broadcast address 255.255.255.255. If one or more name servers are available on the network, and it is desirable to use names in Cisco IOS commands, explicitly set the name server addresses using the global configuration command ip name-serveraddresses. Otherwise, turn off DNS name resolution with the command no ip domainlookup. It is also a good idea to give the router a name, using the command hostname. The name given to the router appears in the prompt.