Services and Protocols

Global Router Commands
to be disabled

Network Boot (service boot network)
Routers with network boot enabled will search for boot files on the network during boot. This is rarely used, but could permit methods of attack.
Disabling is recommended
Cisco Discovery Protocol (service cdp)
Cisco Discovery Protocol sends and receives information about the reporting device and receives information about other Cisco devices. Cdp should not be used on border routers and should not be needed internally.
Disabling is recommended
Configuration Auto-loading (service config)
A router with Configuration Auto-loading enabled will attempt to load its configuration file from a TFTP server. An attacker may be able to have a malicious configuration loaded.
Disabling is recommended
Dynamic Host Configuration Protocol (service dhcp)
Dhcp provides Internet Protocol (IP) addresses to hosts that request them. On corporate networks this is usually handled by a dedicated server, not by a router.
Disabling is recommended
X.25 Packet Assembler/Disassembler Service (service pad)
Pad Service is used for some older Wide Area Networking (WAN) connections. If not configured for your WAN, it should be explicitly turned off.
Disabling is recommended
Finger (ip finger)
The IP Finger service can tell requesters who is logged into a router. This information can be accessed in other ways by authorized users.
Disabling is recommended
Gratuitous Arps (ip gratuitous-arps)
A router can send Address Resolution Protocol (ARP) requests on behalf of another device. These requests are called gratuitous arps. This functionality should not be needed on a correctly configured network, and could be a vector for attack.
Disabling is recommended
HTTP Server (ip http server)
The Hypertext Transfer Protocol (HTTP) Server service makes the router into a web server allowing web administration of the router. Routers configured by command line do not need this.
Disabling is recommended
HTTP Secure Server (ip http secure-server)
The Hypertext Transfer Protocol (HTTP) Secure Server service makes the router into an encryption capable web server allowing more secure web administration of the router than http server. Routers configured by command line do not need this.
Disabling is recommended
Name Server (ip name-server)
Enabling ip name-server on a router lets the router resolve Domain Name System (DNS) names. Routers should rarely have to resolve names on a corporate network. Most have dedicated DNS servers for name resolution. An enabled ip name-server service on a router can be an avenue for attack.
Disabling is recommended
Source Routing (ip source-route)
Source Routing enables a sender to specify the path that should be used for return packets. It is rarely used in production environments but can be very useful to attackers. They can receive normally unroutable or "spoofed" packets back providing valuable information.
Disabling is recommended
Link Layer Discovery Protocol (lldp run)
Link Layer Discovery Protocol (lldp) is similar to Cisco Discovery Protocol (cdp) but is an open standard. Institute of Electrical and Electronics Engineers (IEEE) standard 802.1AB details the specification. Lldp should not be needed and should definitely be disabled on edge routers. Lldp has not been incorporated into Cisco IOS as of the date of this writing. If not available on your router, running the command results in a harmless error.
Disabling is recommended
TCP Small-Servers (service tcp-small-servers)
TCP and UDP Small-Servers enables a suite of services such as echo, chargen, daytime, and more. These services should not be needed for normal operation but could provide an attacker with information about your router or your network.
Disabling is recommended
UDP Small-Servers (service udp-small-servers)
TCP and UDP Small-Servers enables a suite of services such as echo, chargen, daytime, and more. These services should not be needed for normal operation but could provide an attacker with information about your router or your network.
Disabling is recommended

Interface Specific Commands
to be disabled

Cisco Discovery Protocol (service cdp)
Cisco Discovery Protocol sends and receives information about the reporting device and receives information about other Cisco devices.
Cdp should not be used on border routers and should not be needed internally. Although this command is not needed if cdp has been disabled globally, adding it to the interfaces does no harm.
Disabling is recommended
Directed-broadcast (directed-broadcast)
IP Directed Broadcast lets a host on one Local Area Network (LAN) segment This feature should not be needed and can be used for attacks if enabled.
Disabling is recommended
Redirects (ip redirects)
IP Redirect causes the router to send redirect messages when prompted. An attacker can use this feature to gain information about your network and for some forms of attack.
Disabling is recommended
Proxy-arp (ip proxy-arp)
IP Proxy-arp permits the router to send Address Resolution Protocol (arp) requests on behalf of a host on another network. Proxy-arp can give an attacker information and could be used in some attacks.
Disabling is recommended
Mask-reply (ip mask-reply)
IP Mask-reply causes the router to provide the network mask of networks it is aware of. An attacker can use this in mapping the networks and determining potential host addresses to conduct further reconnaissance on.
Disabling is recommended
Unreachables (ip unreachables)
IP Unreachables are generated on the router for networks that it cannot route to. Through process of elimination, this information can be used to map a network. Networks that do not return unreachables are known and may be configured on the router. They at least exist in its routing tables.
Disabling is recommended
Maintenance Operations Protocol (mop)
Maintenance Operations Protocol is a DECNet protocol that is not needed on most networks. Any unneded protocols should be disabled to reduce possible attack vectors.
Disabling is recommended
Network Time Protocol (ntp)
Network Time Protocol (ntp) should be configured on the router, but should only be enabled on and configured on the loopback interface. It should be disabled on all other interfaces.
Disabling is recommended
Lopback Interface (interface loopback)
A Loopback Interface is a virtual interface that is not associated with a physical network connection. Protocols like Secure Shell (SSH) and Network Time Protocol can be bound to the loopback interface so they are not handled by interfaces associated with physical ports and actual networks.
Creation of a loopback interface is recommended
Null Interface (interface null)
A Null Interface routes all traffic to a virtual location within the router where all packets are dropped. Routing unwanted traffic to the null interface, also known as "null routing" or "black hole routing" is a very efficient method of getting rid of traffic that is unwanted or is most likely spoofed.
Creation of a Null Interface and routing spoofed traffic to it is recommended
Auxilliary Port (aux port)
The Auxilliary (aux) Port provides a means of physically connecting to the router via a serial cable. Local administration of the router is usually done using the console port. Disabling the aux port is recommended unless it is connected to a modem for out of band access. If connected to a modem, both the modem and the aux port must be configured securely.
Disabling the aux port is recommended
Console Port
The Console Port is used to connect to the router locally. A console cable is connected from the router's console port to a serial port on a computer. Once connected, the user brings up terminal emulation software like TeraTerm, Hyperterm, or Putty. The console port permits sensitive operations like password revcovery, so it must be configured securely.
Secure configuration of the console port is recommended
Virtual Terminal (vty) Ports
Virtual Terminal (vty) Ports permit connection over the network. Since they are accessible from anywhere using insecure protocols unless properly configured, they pose a great risk. Access to them should be restricted to secure protocols such as Secure Shell (ssh) and only trusted IP addresses should be permitted. An Access Control List (acl) is used to restrict access to trusted IP addresses.
Secure configuration of the vty ports is recommended

Global router commands (to be enabled)


ip cef
Cisco Express Forwarding (cef) in and of itself does not do much security wise. It can make the processing of through traffic faster. Cef uses its own Forwarding Information Base (fib) to switch packets through the router. This is faster than the default switching method, fast-switching.
Enabling cef is recommended
ntp receive
Receiving time via Network Time Protocol (ntp) means that the log files generated by the router will have accurate timestamps. Timestamp accuracy of log files is crucial to tracking attacks or attempted attacks. The earlier commands disabling ntp on interfaces means the router will not serve as an ntp server. A primary and backup ntp server should be configured for redundancy.
Enabling ntp reception is recommended
password-encryption
Password encryption is better than leaving configured passwords clear text, but it is NOT secure. Small, free programs such as Boson's GetPass can be used to decipher passwords encrypted in this way. Even if you have password-encryption enabled, remember to protect your router configuration files.
Enabling service password-encryption is recommended
tcp-keepalives-in
TCP Keepalives let the router calculate how long a TCP session has been connected and permit tracking of "idle time" or time that no user action has occured for a given connection.
Enabling tcp-keepalives in and out is recommended
tcp-keepalives-out
TCP Keepalives let the router calculate how long a TCP session has been connected and permit tracking of "idle time" or time that no user action has occured for a given connection.
Enabling tcp-keepalives in and out is recommended
ssh timeout
If tcp-keepalives-in are enabled, idle SSH sessions can be logged of after a pre-set time. The brst shuts down idle sessions after 20 minutes of inactivity. This reduces the chance that someone can walk up to a computer with a session connected and make changes.
Enabling ssh timeout is recommended
ssh authentication retries
SSH authentication retries (attempts where a bad username or password has been entered) can be limited to thwart brute force password cracking attempts. The brst sets the number of attempts before lockout to three.
Limiting ssh authentication retries is recommended
ip classless
The ip classless command causes the router to forward packets for an unknown subnet to a known supernet that contains it. If you disable this feature, and a route is not known for a packet for an unknown destination, it will be dropped.
Enabling ip classless is recommended

Access control

aux port Configuration
The Auxilliary Port (aux port) presents an unneeded risk and should be disabled. If it us used for remote access, it should be secured.
Disabling the aux port is recommended.
Console Port
The console port is often used for local administration. It should be secured by requiring default login (aaa), and should have transport output none.
Securing console port is recommended.
vty ports
Virtual Terminal or vty ports are used for remote access and should be secured as tightly as practical. Only a very limited number of IP Addresses should be allowed to access them, and only using secure protocols when possible.
Securing vty ports is recommended.

Logging

Configure Syslog to use a port on this router
This option configures your router to send syslog messages to a local port on the border router.
Positives - Allows use of a hardened syslog server, doesn't require passing traffic through firewall.
Negatives - You have to configure a syslog server and have a free port on your router.
Configuring syslog to use a local DMZ port is recommended.
Configure Syslog to use a DMZ on the Firewall
This option configures your router to send syslog messages to a syslog server residing in a DMZ off your firewall.
Positives - Allows use of a hardened syslog server, allows firewall to filter traffic to syslog server.
Negatives - You have to configure a syslog server and have to configure your firewall to allow and analyze the traffic.
Note: You should probably choose this option if you don't have a DMZ but do have a syslog server on your local network.
Configuring syslog to use a DMZ on the firewall is recommended.
Configure local logging only
You will not be using a syslog server. All logs will be stored locally and overwritten when full.
Positives - No additional configuration required.
Negatives - Logs are lost upon reboot or powering off, logs are overwritten as they fill, storage is limited.
Configuring local logging only is not recommended.