HostedDB - Dedicated UNIX Servers

index_66
Router Security Configuration Guide UNCLASSIFIED 66 UNCLASSIFIED Version 1.0g send ICMP messages under a wide variety of conditions.  Three ICMP messages are commonly used by attackers for network mapping and diagnosis: ‘Host unreachable’, ‘Redirect’, and ‘Mask Reply’.  Automatic generation of these messages should be disabled on all interfaces, especially interfaces that are connected to untrusted networks.  The example below shows how to turn them off for an interface. Central# config t Enter configuration commands, one per line.  End with CNTL/Z. Central(config)# interface eth 0/0 Central(config-if)# no ip unreachable Central(config-if)# no ip redirect Central(config-if)# no ip mask-reply Central(config-if)# end Central#   NTP Service Cisco routers and other hosts use the Network Time Protocol (NTP) to keep their time-of-day clocks accurate and in synchrony.  If possible, configure all routers as part of an NTP hierarchy, as described in Section 4.5.  If an NTP hierarchy is not available on the network, then disable NTP as shown below. North# show ip interface brief Interface           IP-Address     OK? Method Status      Protocol Ethernet0/0        14.2.10.20      YES NVRAM  up             up Ethernet1/0        14.1.1.250      YES NVRAM  up             up North# config t Enter configuration commands, one per line.  End with CNTL/Z. North(config)# interface eth 0/0 North(config-if)# no ntp enable North(config-if)# exit North(config)# interface eth 1/0 North(config-if)# no ntp enable North(config-if)# end North#   Disabling NTP on an interface will not prevent NTP messages from traversing the router.  To reject all NTP messages at a particular interface, use an access list, as discussed in Section 4.3. SNMP Services The Simple Network Management Protocol (SNMP) is the standard Internet protocol for automated remote monitoring and administration.  There are several different versions of SNMP, with different security properties.  If a network has a deployed SNMP infrastructure in place for administration, then all routers on that network should be configured to securely participate in it. In the absence of a deployed SNMP scheme, all SNMP facilities on all routers should be disabled  using these steps: