How Vulnerable Are Your Cisco IOS Routers?

Expert Reference Series of White Papers
How Vulnerable Are
Your Cisco IOS
Routers?
1-800-COURSES www.globalknowledge.comHow Vulnerable Are Your Cisco IOS
Routers?
Carol Kavalla, Global Knowledge Instructor, BS, CCSI, CCDP
IntroductionSecurity of the network is a top priority for companies. Of course, this would include securing Cisco routers. It may be surprising to some that Cisco routers run many services that could create vulnerabilities. Some of these services are enabled by default.
This white paper lists a number of the services that should be disabled and why. Additionally, some best prac-tices for securing your Cisco routers are defined.
This is not intended to be an exhaustive listing of all services enabled on Cisco routers that could create vulner-abilities, nor of all best practices for configuring Cisco routers. There are several Cisco security courses that cover this information in depth. Rather, this paper is meant to be a vehicle for discussion regarding the security of Cisco routers.
Services that Are Enabled by Default The services below are enabled by default (in some cases depending on the version of IOS installed on the router) and should be disabled if not in use.
BOOTP server This allows a router to act as a BOOTP server for other routers; thereby allowing them to load their operating system over the network from the router acting as the BOOTP server.
A hacker could use the BOOTP service to download a copy of the router's IOS software. The tools for this type of attack are available on the Internet.
If not required, the BOOTP service should be disabled. The following global command can be used to disable BOOTP: no ip bootp server.
Cisco Discovery Protocol (CDP)Cisco Discover Protocol is used to obtain information about directly connected Cisco neighbors. The informa-tion gleaned from CDP includes ip addresses, hardware model information, and operating system version. This
Copyright ©2009 Global Knowledge Training LLC. All rights reserved. 2feature could allow a hacker to gain information about the configuration of the device and of the network infrastructure. If not needed, it should be disabled globally or on an interface by interface basis.
CDP can be disabled globally with the no cdp run command and on the interface with the no cdp enable command.
CDP needs to be enabled when using Cisco IP phones. If it has been disabled globally on the switch, it can be enabled on the interface using the cdp enable command.
There are several known attacks on the Cisco IP Phone CDP feature, so it is a decision for each network adminis-trator to determine the risk versus the obvious benefits of CDP to support Cisco IP Telephony solutions.
HTTP Configuration and MonitoringThe default setting for this service is device-dependent. HTTP service allows the router to be monitored or con-figured from a web browser. HTTP is a clear-text protocol and is vulnerable to various packet-capture methods.
A hacker could monitor network traffic and capture authentication usernames and passwords. This issue is made more serious when the enable password is used for authentication because this knowledge would give the at-tacker full administrative access to the device. Once usernames and passwords have been captured, it is simply a matter of using the credentials to log into the router. If not required, the HTTP service should be disabled. If web access to the device is required, consider using HTTPS or Secure Shell (SSH). The encrypted HTTPS and SSH services may require an IOS or hardware upgrade.
The HTTP service can be disabled with the following IOS global command: no ip http server. Domain Name System (DNS)By default, Cisco routers broadcast name requests to 255.255.255.255. A hacker who is able to capture network traffic could monitor DNS queries from the Cisco Router.
Domain lookups can be disabled with the following global command: no ip domain-lookup.
Packet Assembler / Disassembler (PAD) The Packet Assembler / Disassembler service enables X.25 connections between network systems. The PAD ser-vice is enabled by default on most Cisco IOS devices, but it is only required if support for X.25 links is necessary. Running unused services increases the chances of a hacker finding a security hole or compromising a device.
The PAD service can be disabl... [download for more]