Network security is a top priority for companies, and this includes securing Cisco routers. It is surprising to some that Cisco routers run many services that could create vulnerabilities.
Some of these services are enabled by default.
This white paper is not an exhaustive listing of all services enabled on Cisco routers that could create vulnerabilities, nor of all best practices for configuring Cisco routers.
It is intended to be a vehicle for discussion regarding the security of those routers.
Services that Are Enabled by Default
The services below are enabled by default (in some cases depending on the version of IOS installed on the router) and should be disabled if not in use.
This allows a router to act as a BOOTP server for other routers; thereby allowing them to load their operating system over the network from the router acting as the BOOTP server.
A hacker could use the BOOTP service to download a copy of the router's IOS software. The tools for this type of attack are available on the Internet.
If not required, the BOOTP service should be disabled. The following global command can be used to disable BOOTP: no ip bootp server.
Cisco Discovery Protocol (CDP)
Cisco Discover Protocol is used to obtain information about directly connected Cisco neighbors. The information gleaned from CDP includes ip addresses, hardware model information, and operating system version.
This feature could allow a hacker to gain information about the configuration of the device and of the network infrastructure. If not needed, it should be disabled globally or on an interface by interface basis.
CDP can be disabled globally with the no cdp run command and on the interface with the no cdp enable command.
CDP needs to be enabled when using Cisco IP phones. If it has been disabled globally on the switch, it can be enabled on the interface using the cdp enable command.
There are several known attacks on the Cisco IP Phone CDP feature, so it is a decision for each network administrator to determine the risk versus the obvious benefits of CDP to support Cisco IP Telephony solutions.
HTTP Configuration and Monitoring
The default setting for this service is device-dependent. HTTP service allows the router to be monitored or configured from a web browser. HTTP is a clear-text protocol and is vulnerable to various packet-capture methods.
A hacker could monitor network traffic and capture authentication usernames and passwords.
This issue is made more serious when the enable password is used for authentication because this knowledge would give the attacker full administrative access to the device.
Once usernames and passwords have been captured, it is simply a matter of using the credentials to log into the router.
If not required, the HTTP service should be disabled. If web access to the device is required, consider using HTTPS or Secure Shell (SSH). The encrypted HTTPS and SSH services may require an IOS or hardware upgrade.
The HTTP service can be disabled with the following IOS global command: no ip http server.
Domain Name System (DNS)
By default, Cisco routers broadcast name requests to 255.255.255.255. A hacker who is able to capture network traffic could monitor DNS queries from the Cisco Router.
Domain lookups can be disabled with the following global command: no ip domain-lookup.
Packet Assembler / Disassembler (PAD)
The Packet Assembler / Disassembler service enables X.25 connections between network systems. The PAD service is enabled by default on most Cisco IOS devices, but it is only required if support for X.25 links is necessary.
Running unused services increases the chances of a hacker finding a security hole or compromising a device.
The PAD service can be disabled with the following global configuration: no service pad.
Internet Control Message Protocol (ICMP) Redirects
ICMP redirects cause the router to send ICMP redirect messages whenever the router is forced to resend a packet through the same interface on which it was received. By sending ICMP redirects, a hacker can redirect packets to an untrusted device.
To stop ICMP redirects, use the following interface command: no ip redirects. This needs to be done on all interfaces.
IP Source Routing
IP source routing is a feature whereby a network packet can specify how it should be routed through the network. IP source routing can allow a hacker to specify a route for a network packet to follow, possibly to bypass a Firewall or an Intrusion Detection System (IDS).
A hacker could also use source routing to capture network traffic by routing it through a system controlled by the attacker.
A hacker would have to control either a routing device or an end point device in order to modify a packets route through the network.
However, tools are available on the Internet that would allow a hacker to specify source routes. Tools are also available to modify network routing using vulnerabilities in some routing protocols.
This can be disabled using the global command: no ip source-route.
Global Knowledge is the worldwide leader in IT and business skills training. We deliver via training centers, private facilities, and the Internet, enabling our customers to choose when, where, and how they want to receive training programs and learning services.