index_66
Router Security Configuration Guide
UNCLASSIFIED
66
UNCLASSIFIED
Version 1.0g
send ICMP messages under a wide variety of conditions. Three ICMP messages are
commonly used by attackers for network mapping and diagnosis: Host unreachable,
Redirect, and Mask Reply. Automatic generation of these messages should be
disabled on all interfaces, especially interfaces that are connected to untrusted
networks. The example below shows how to turn them off for an interface.
Central# config t
Enter configuration commands, one per line. End with CNTL/Z.
Central(config)# interface eth 0/0
Central(config-if)# no ip unreachable
Central(config-if)# no ip redirect
Central(config-if)# no ip mask-reply
Central(config-if)# end
Central#
NTP Service
Cisco routers and other hosts use the Network Time Protocol (NTP) to keep their
time-of-day clocks accurate and in synchrony. If possible, configure all routers as
part of an NTP hierarchy, as described in Section 4.5. If an NTP hierarchy is not
available on the network, then disable NTP as shown below.
North# show ip interface brief
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 14.2.10.20 YES NVRAM up up
Ethernet1/0 14.1.1.250 YES NVRAM up up
North# config t
Enter configuration commands, one per line. End with CNTL/Z.
North(config)# interface eth 0/0
North(config-if)# no ntp enable
North(config-if)# exit
North(config)# interface eth 1/0
North(config-if)# no ntp enable
North(config-if)# end
North#
Disabling NTP on an interface will not prevent NTP messages from traversing the
router. To reject all NTP messages at a particular interface, use an access list, as
discussed in Section 4.3.
SNMP Services
The Simple Network Management Protocol (SNMP) is the standard Internet protocol
for automated remote monitoring and administration. There are several different
versions of SNMP, with different security properties. If a network has a deployed
SNMP infrastructure in place for administration, then all routers on that network
should be configured to securely participate in it. In the absence of a deployed SNMP
scheme, all SNMP facilities on all routers should be disabled using these steps: