Network device access control and protection are critical for network infrastructure and overall security. Securing Cisco router can be done by disabling unused services and features to improve security. These device hardening measures reduce the amount of information accessible externally.
Hardening Cisco routers reduce the CPU and memory utilization required to manage unnecessary packets. Aside from configuring an enhanced password security feature and securing the console access with the ‘service password encryption’ command, ‘enable secret’ command, and ‘enable password’ command, unused features must be disabled. For example, the Simple Network Management Protocol (SNMP) and the HTTP services with the ‘no ip http server’ command. The other most common tools and services disabled for device hardening measures are the following:
- Topology Discovery Tools: Cisco Discovery Protocol (CDP) and Link Layer Discovery Protocol (LLDP) tools could give unwanted information to routers beyond management. The CDP services can be disabled using the interface command ‘no cdp enable’, and the LLDP services can be disabled using the ‘no lldp transmit’ and ‘no lldp receive’ commands.
- TCP and UDP Small Services: The ‘service tcp-keepalive-in’ and ‘service tcp-keepalive-out’ commands guarantee that devices deliver TCP keepalives for inbound and outbound TCP connections. It implies that the device at the other end of the connection remains accessible. Any half-open or orphaned connections are removed from the local device.
- IP Redirect Services: If a Cisco device detects network traffic hairpinning, it sends an ICMP redirect message to notify a device of a more direct route to the destination network. The interface command ‘no ip redirects’ disables this behavior.
- Proxy Address Resolution Protocol (ARP): Proxy ARP is a mechanism Cisco routers use to respond to ARP requests meant for another router. The router creates a fake identity and forwards an ARP response to the router in charge of that network. A man-in-the-middle attack allows a host on the network to send traffic to the hacker by using a spoofed router MAC address. To disable proxy ARP on the interface, use the command ‘no ip proxy-arp’.
- Service Configuration: Cisco network devices allow automatic configuration from remote devices using TFTP and other various approaches. These services should be disabled using the ‘no service config’ command.
- Maintenance Operation Protocol (MOP) Service: The MOP service is unnecessary and should be disabled globally using the ‘no mop enabled’ command in global configuration mode and another ‘no mop enabled’ command in the interface configuration mode.
- Packet Assembler/Disassembler (PAD) Service: The PAD service is only required for X.25 protocols. The command ‘no service pad’ is used to disable it.
Download our Free CCNA Study Guide PDF for complete notes on all the CCNA 200-301 exam topics in one book.
We recommend the Cisco CCNA Gold Bootcamp as your main CCNA training course. It’s the highest rated Cisco course online with an average rating of 4.8 from over 30,000 public reviews and is the gold standard in CCNA training: