index_65
UNCLASSIFIED
Implementing Security on Cisco Routers
Version 1.0g
UNCLASSIFIED
65
Ethernet0/1 14.2.9.250 YES NVRAM up up
Ethernet0/2 unassigned YES unset down down
Ethernet0/3 unassigned YES unset down down
Central# config t
Enter configuration commands, one per line. End with CNTL/Z.
Central(config)# interface eth 0/0
Central(config-if)# no ip proxy-arp
Central(config-if)# exit
Central(config)# interface eth 0/1
Central(config-if)# no ip proxy-arp
Central(config-if)# exit
Central(config)# interface eth 0/2
Central(config-if)# no ip proxy-arp
Central(config-if)# exit
Central(config)# interface eth 0/3
Central(config-if)# no ip proxy-arp
Central(config-if)# end
Central#
IP Directed Broadcast and Subnet-zero Support
Directed broadcasts permit a host on one LAN segment to initiate a physical
broadcast on a different LAN segment. This technique was used in some old denial-
of-service attacks, and the default Cisco IOS configuration is to reject directed
broadcasts. Explicitly disable directed broadcasts on each interface using the
interface configuration command no ip directed-broadcast .
IP subnets with an address of 0 are illegal and strongly discouraged in the IP
standard. For example, a network with an address of 14.2.0.0/24 has a subnet address
of 0 in the third octet. The default Cisco IOS configuration is to reject subnet-zero
packets. Explicitly prohibit such packets using the no ip subnet-zero command.
IP Classless Routing
By default, a Cisco router will make an attempt to route almost any IP packet. If a
packet arrives addressed to a subnet of a network that has no default network route,
then IOS will, with IP classless routing, forward the packet along the best available
route to a supernet of the addressed subnet. This feature is often not needed. On
routers where IP classless routing is not needed, disable it as shown below.
Central# config t
Enter configuration commands, one per line. End with CNTL/Z.
Central(config)# no ip classless
Central(config)# exit
IP Unreachables, Redirects, Mask Replies
The Internet Control Message Protocol (ICMP) supports IP traffic by relaying
information about paths, routes, and network conditions. Cisco routers automatically