Upload File

disabling unnecessary services

5
CCIE Security V4 Technology Labs Section 1: System Hardening and Availability Disabling Unnecessary Services Last updated: May 3, 2013 Task Load the configuration files for this task. On R1, disable CDP on all interfaces. Ensure that R1 cannot be accessed via a web page. Disable the ability for R1 to respond to a mask reply on interface G0/0. On R1, disable IP unreachables. On R2, disable CDP on the interface facing R3. Disable IP source routing on R2. Explanation and Verification Cisco Discovery Protocol (CDP) is primarily used to obtain protocol addresses of neighboring devices and discover the platforms of those devices. CDP can also be used to show information about the interfaces your router uses, so it is a target for attackers who want to gain information about your network and its resources. CDP is media and protocol independent and runs on almost all Cisco-manufactured equipment. It is a useful protocol, but the security implications are significant. To disable CDP features, you have two options: the interface level and the global level. You can use the no cdp enable interface command or the no cdp run global command. The Cisco IOS also has the ability to enable an HTTP service, which allows configuration and monitoring of the router using any web browser. You can configure the HTTP service to listen on a non-standard port using ip http port number . You can direct the method of authentication using the ip http authentication {aaa | enable | local | tacacs} command, but this does not prevent access to the service. To control access to the HTTP server, either use the ip http access-class {access-list-number | name} command or disable the service globally. The HTTP server can be disabled with the no ip http server command in global configuration mode, and a Secure HTTP (HTTPS) server can be disabled with the no ip http secure-server global configuration command. Additionally, as a security best practice, any unused services should be disabled. Although this task specifies only a few of these services, it is still best to understand what the services are. TCP and UDP small services should be disabled. These services include: echo (port number 7) discard (port number 9)

Upload: nandan-bisht

Post on 24-Nov-2015

18 views

Category:

Documents


1 download

Report

DESCRIPTION

Disabling Unnecessary Services

TRANSCRIPT

  • CCIE Security V4 Technology Labs Section 1:System Hardening and Availability

    Disabling Unnecessary Services

    Last updated: May 3, 2013

    Task

    Load the configuration files for this task.

    On R1, disable CDP on all interfaces.

    Ensure that R1 cannot be accessed via a web page.

    Disable the ability for R1 to respond to a mask reply on interface G0/0.

    On R1, disable IP unreachables.

    On R2, disable CDP on the interface facing R3.

    Disable IP source routing on R2.

    Explanation and Verification

    Cisco Discovery Protocol (CDP) is primarily used to obtain protocol addresses of neighboring

    devices and discover the platforms of those devices. CDP can also be used to show information

    about the interfaces your router uses, so it is a target for attackers who want to gain information

    about your network and its resources. CDP is media and protocol independent and runs on almost

    all Cisco-manufactured equipment. It is a useful protocol, but the security implications are

    significant. To disable CDP features, you have two options: the interface level and the global level.

    You can use the no cdp enable interface command or the no cdp run global command.

    The Cisco IOS also has the ability to enable an HTTP service, which allows configuration and

    monitoring of the router using any web browser. You can configure the HTTP service to listen on a

    non-standard port using ip http port number. You can direct the method of authentication using

    the ip http authentication {aaa | enable | local | tacacs} command, but this does not

    prevent access to the service. To control access to the HTTP server, either use the

    ip http access-class {access-list-number | name} command or disable the service

    globally. The HTTP server can be disabled with the no ip http server command in global

    configuration mode, and a Secure HTTP (HTTPS) server can be disabled with the

    no ip http secure-server global configuration command.

    Additionally, as a security best practice, any unused services should be disabled. Although this

    task specifies only a few of these services, it is still best to understand what the services are.

    TCP and UDP small services should be disabled. These services include:

    echo (port number 7)

    discard (port number 9)

  • daytime (port number 13)

    chargen (port number 19)

    Although abuse of the small services can be avoided or made less dangerous by anti-spoofing

    access lists, the services must be disabled on any device accessible within the network. The small

    services are disabled by default in Cisco IOS Software Releases 12.0 and later. In earlier software,

    the no service tcp-small-servers and no service udp-small-servers global configuration

    commands can be issued to disable them.

    In addition to the TCP and UDP small services, the following considerations should be made:

    IP Finger: Issue the no ip finger global configuration command to disable Finger service. Cisco

    IOS software releases later than 12.1(5) and 12.1(5)T disable this service by default.

    BootP: Issue the no ip bootp server global configuration command to disable Bootstrap

    Protocol (BOOTP).

    In Cisco IOS Software Release 12.2(8)T and later, issue the ip dhcp bootp ignore

    command in global configuration mode to disable BOOTP. This leaves Dynamic Host

    Configuration Protocol (DHCP) services enabled.

    DHCP: DHCP services can be disabled if DHCP relay services are not required. Issue the

    no service dhcp command in global configuration mode.

    MOP: Issue the no mop enabled command in interface configuration mode to disable the

    Maintenance Operation Protocol (MOP) service.

    DNS Resolution: Issue the no ip domain-lookup global configuration command to disable

    Domain Name System (DNS) resolution services.

    PAD: Issue the no service pad command in global configuration mode to disable Packet

    Assembler/Disassembler (PAD) service, which is used for X.25 networks.

    TFTP Config: Unless Cisco IOS devices retrieve configurations from the network during startup, the

    no service config global configuration command must be used. This prevents the Cisco IOS

    device from attempting to locate a configuration file on the network using TFTP.

    LLDP: Link Layer Discovery Protocol (LLDP) is an IEEE protocol that is defined in 802.1AB. LLDP is

    similar to CDP. However, this protocol allows interoperability between other devices that do not

    support CDP. LLDP must be treated in the same manner as CDP and disabled on all interfaces that

    connect to untrusted networks. To accomplish this, issue the no lldp transmit and

    no lldp receive interface configuration commands. Issue the no lldp run global configuration

    command to disable LLDP globally. LLDP can also be used by a malicious user for reconnaissance

    and network mapping.

    To begin our configuration, disable CDP as directed on R1

    R1:

  • R1#

    R1#conf t

    Enter configuration commands, one per line. End with CNTL/Z.

    R1(config)#no cdp run

    R1(config)#

    R1(config)#end

    R1#sh cdp

    Jan 16 21:27:26.745: %SYS-5-CONFIG_I: Configured from console by console

    % CDP is not enabled

    R1#

    R1(config)#no ip http server

    R1(config)#

    Additionally, ensure that R1 is not running the HTTP service. First look at the open ports.

    R1#sh control-plane host open-ports

    Active internet connections (servers and established)

    Prot Local Address Foreign Address Ser

    vice State

    tcp *:23 *:0 Te

    lnet LISTEN

    tcp *:80 *:0 HTTP

    CORE LISTEN

    tcp *:80 *:0 HTTP

    CORE LISTEN

    As seen in the output, the HTTP server is enabled. Disable the HTTP server with the

    no ip http server command.

    R1#

    R1#conf t

    Enter configuration commands, one per line. End with CNTL/Z.

    R1(config)#no ip http server

    R1(config)#end

    R1#

    Now verify that the service is disabled

  • ```

    R1#sh control-plane host open-ports

    Active internet connections (servers and established)

    Prot Local Address Foreign Address Ser

    vice State

    tcp *:23 *:0 Te

    lnet LISTEN

    R1#

    Disable R1 from responding to mask replies.

    R1#conf t

    Enter configuration commands, one per line. End with CNTL/Z.

    R1(config)#int g0/0

    R1(config-if)#no ip mask-reply

    R1(config-if)#

    On R1, disable IP unreachables.

    R1(config-if)#

    R1(config-if)#no ip unreachables

    R1(config-if)#

    Now go to R2 and disable CDP on the interface facing R3. As you can see below, we first verify that

    CDP is enabled; it is, because we can see SW2. This is the directly connected device in our layer 2

    path to R3, and that is why we don't see R3 here.

  • R2>en

    R2#sh cdp neigh

    Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge

    S - Switch, H - Host, I - IGMP, r - Repeater

    Device ID Local Intrfce Holdtme Capability Platform Port ID

    SW1 Gig 0/0 135 R S I WS-C3560- Fas 0/2

    R2#

    R2#

    R2#conf t

    Enter configuration commands, one per line. End with CNTL/Z.

    R2(config)#int g0/0

    R2(config-if)#no cdp enable

    R2(config-if)#end

    R2#

    R2#

    R2#

    Jan 17 18:40:05.668: %SYS-5-CONFIG_I: Configured from console by consolesh cdp

    R2#sh cdp

    Global CDP information:

    Sending CDP packets every 60 seconds

    Sending a holdtime value of 180 seconds

    Sending CDPv2 advertisements is enabled

    R2#

    R2#

    R2#

    Finally, disable ip source-routing on the G0/0 interface of R2.

    R2#conf t

    Enter configuration commands, one per line. End with CNTL/Z.

    R2(config)#no ip source-route

    R2(config)#


Enabling and disabling JavaScript

End of support doesn’t have to mean end of security · 4. SYSTEM HARDENING Hardening a system like Windows 2003 Server or Windows XP (e.g., removing unnecessary services, disabling

Disabling Our Diagnostic Dilemmas

Department of Developmental Services Fact Book · disabilities include Intellectual Disability, Autism, Epilepsy, Cerebral Palsy, and disabling conditions closely related to Intellectual

Stacki: Disabling Host Firewalls (Tutorial)

The UC Learning Center: Disabling Pop Up Blockersblink.ucsd.edu/_files/HR-tab/staff-ed/popup_blocker_guide.pdf · Disabling Pop-up Blockers | 1 The UC Learning Center: Disabling Pop-Up

Collecting information on students’ disabling conditions

Disabling the Driver Signature Enforcement for Windows 7 ...downloads.eurocom.com/support/drivers/upgradeyourlaptop/Alienware... · Disabling the Driver Signature Enforcement for

Unnecessary Suffering

Ivan Illich Disabling Professions

WANdisco Subversion MultiSite Administration Guide€¦ · 6.1 Temporarily Disabling User Access to Subversion . . . . . . . . . . . . . . 72 6.1.1 Temporarily Disabling Subversion

Enabling or Disabling CEF or dCEF - Cisco · Enabling or Disabling CEF or dCEF ThismodulecontainsinformationaboutCiscoExpressForwardinganddescribestherequiredandoptional

Disabling Pop-up Blockers Contents › it › _resources › pdfs › sgc › ...QRG – Disabling Pop-up Blockers 6 Information Technology | Student Technology Services Dec 1-WH Safari

Minnesotas Call To Action Minnesotas Call To Action For Unnecessary Medications (F329) & Pharmacy Services (F425, 428, 431)

Unnecessary Delay

CALIFORNIA CHILDREN’S SERVICES · California Children's Services (CCS) is a statewide program for California children under the age of 21 with physically disabling conditions. CCS

Cisco Device Hardening Disabling Unused Cisco Router Network Services and Interfaces

Brain Disabling

DISABLING IMAGERY

Unnecessary Austerity Unnecessary Government Shutdown

Effective Practices for the Establishment and Maintenance ... · The steps required to avoid an adverse cyber security impact may be as simple as physically disabling unnecessary

Disabling Security Settings in Acrobat Files

02 FEBRUARY, 2017 Sure Step Lifecycle Services (LCS ... · Lifecycle Services (LCS) Microsoft Dynamics 365 ... When disabling Budget planning key , ... PRODUCTION Configure

IPsec Anti-Replay Window Expanding and Disabling€¦ · IPsec Anti-Replay Window Expanding and Disabling Expanding and Disabling of an Anti-Replay Window for Crypto Maps or Crypto

Lathyrism Disabling Conditions in Southasia Miles

Unnecessary surgery in fully refractive acco odative esotropia › pdf › abo › v54n5 › 0004-2749-abo... · Unnecessary surgery in fully refractive accommodative esotropia Unnecessary

Detection and Disabling of Explosive Devices

Guest services in the hospitality industry · Guest services in the hospitality industry. ... (collecting clean linen/towels ... avoiding unnecessary laundry). Guest services: Cleaning

Unnecessary Medications

Disabling USB Storage

Disabling Windows XP Services

detection and disabling of digital camera

UNNECESSARY CONSUMPTION

Unnecessary Pain & Suffering

19 3,600 disabling electrical contact injuries occur every year. 4,000 non-disabling injuries. 12