[c-nsp] Router security defaults (WAS RE: Proxy ARP -- To disable, or not to disable..)
Joseph Jackson
jjackson at aninetworks.net
Sun Mar 23 23:29:59 EDT 2008
After reading this message it brought to mind the default steps I take whenever a new router is configured for our network. Here's the list of the stuff I do which I got from the hardening cisco routers book. What do you guys think? Should there be anything else? I also try to run ssh on any router that can support it.
GLOBAL CONFIG
no service finger
no service pad
no service udp-small-servers
no service tcp-small-servers
service password-encryption
service tcp-keepalives-in
service tcp-keepalives-out
no cdp run
no ip bootp server
no ip http server
no ip finger
no ip source-route
no ip gratuitous-arps
END GLOBAL CONFIG
Per Interface Config
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
ip cef
END Per Interface Config
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Eric Cables
> Sent: Friday, March 21, 2008 2:13 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Proxy ARP -- To disable, or not to disable..
>
> A recent network audit has discovered that Proxy ARP is enabled on
> pretty
> much every L3 interface in the network. As a Cisco default, this isn't
> surprising, since no template configs have it disabled.
>
> The question is: whether or not I should go back and disable it, or
> just
> leave it be, since it doesn't appear to be causing any problems.
>
> Any feedback would be appreciated.
>
> --
> Eric Cables
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list