[c-nsp] Router security defaults (WAS RE: Proxy ARP -- To disable, or not to disable..)
Enno Rey
erey at ernw.de
Mon Mar 24 04:03:34 EDT 2008
Hi,
On Sun, Mar 23, 2008 at 08:29:59PM -0700, Joseph Jackson wrote:
>
> After reading this message it brought to mind the default steps I take whenever a new router is configured for our network. Here's the list of the stuff I do which I got from the hardening cisco routers book. What do you guys think? Should there be anything else? I also try to run ssh on any router that can support it.
>
> GLOBAL CONFIG
>
> no service finger
> no service pad
> no service udp-small-servers
> no service tcp-small-servers
> service password-encryption
> service tcp-keepalives-in
> service tcp-keepalives-out
> no cdp run
> no ip bootp server
> no ip http server
> no ip finger
> no ip source-route
> no ip gratuitous-arps
some other candidates to add here (may depend on platform/image and only to be applied after careful reconsideration ;-):
no service config
no ip http-secure
no service dhcp
no boot network
no boot host
no mop enabled
no ip host-routing
as for the interface stuff...
>
> Per Interface Config
>
> no ip redirects
> no ip unreachables
personally, I don't like those two. what's wrong about a router _sending_ icmp redirects or (even more important/useful) icmp unreachables?
keep in mind those commands are not about accepting those (but, as said: sending them).
and, depending on the environment (e.g. in some IXs this can be found), you might want to add this one:
no keepalive
be aware this can lead to serious problems (e.g. on Gig-Ifs) when applied inappropriately ;-))
thanks,
Enno
--
Enno Rey
Check out www.troopers08.org!
ERNW GmbH - Breslauer Str. 28 - 69124 Heidelberg - www.ernw.de
Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 173 6745902
PGP FP 055F B3F3 FE9D 71DD C0D5 444E C611 033E 3296 1CC1
Handelsregister Heidelberg: HRB 7135
Geschaeftsfuehrer: Roland Fiege, Enno Rey
More information about the cisco-nsp
mailing list