index_60
Router Security Configuration Guide
UNCLASSIFIED
60
UNCLASSIFIED
Version 1.0g
Feature
Description
Default
Recommendation
HTTP server
Some Cisco IOS devices
offer web-based
configuration.
Varies by
device
If not in use, explicitly
disable, otherwise restrict
access.
Bootp server
Service to allow other
routers to boot from this
one.
Enabled
This is rarely needed and
may open a security hole,
disable it.
Configuration
auto-loading
Router will attempt to load
its configuration via TFTP.
Disabled
This is rarely used, disable
it if it is not in use.
IP source routing
IP feature that allows
packets to specify their own
routes.
Enabled
This rarely -used feature
can be helpful in attacks,
disable it.
Proxy ARP
Router will act as a proxy
for layer 2 address
resolution.
Enabled
Disable this, unless the
router is serving as a LAN
bridge.
IP directed
broadcast
Packets can identify a target
LAN for broadcasts.
Enabled
Directed broadcast can be
used for attacks, disable it.
Classless routing
behavior
Router will forward packets
with no concrete route.
Enabled
Certain attacks can benefit
from this: disable it unless
your net requires it.
IP subnet zero
support
Router will support the
illegal zero-bit mask.
Disabled
Explicitly disable this.
IP unreachable
notifications
Router will explicitly notify
senders of incorrect IP
addresses.
Enabled
Can aid network mapping,
disable on interfaces to
untrusted networks.
IP mask reply
Router will send an
interfaces IP address mask
in response to an ICMP
mask request.
Disabled
Can aid IP address
mapping; explicitly dis able
on interfaces to untrusted
networks.
IP redirects
Router will send an ICMP
redirect message in response
to certain routed IP packets.
Enabled
Can aid network mapping,
disable on interfaces to
untrusted networks.
NTP service
Router can act as a time
server for other devices and
hosts.
Enabled if
NTP is in use
If not in use, explicitly
disable, otherwise restrict
access.
Simple Network
Mgmt. Protocol
Routers can support SNMP
remote query and
configuration.
Enabled
If not in use, explicitly
disable, otherwise restrict
access.
Domain Name
Service
Routers can perform DNS
name resolution.
Enabled
(broadcast)
Set the DNS server address
explicitly, or disable DNS.