321 Studios OL-7141-04 manual Disable TCP Small Servers Service

Page 34

Chapter 1 Cisco SDM Express

Supplementary Help

The configuration that will be delivered to the router to disable PAD is as follows:

no service pad

You can undo this fix using the Cisco SDM Security Audit feature. To learn how, see the Security Audit online help in Cisco SDM. For more information, click Cisco Router and Security Device Manager.

Disable TCP Small Servers Service

Cisco SDM Express disables small services whenever possible. By default, Cisco devices running Cisco IOS release 11.3 or earlier offer the “small services”: echo, chargen, and discard. (Small services are disabled by default in Cisco IOS software release 12.0 and later.) These services, especially their User Datagram Protocol (UDP) versions, are infrequently used for legitimate purposes, but they can be used to launch Denial of Service (DoS) and other attacks that would otherwise be prevented by packet filtering.

For example, an attacker might send a Domain Name System (DNS) packet, falsifying the source address to be a DNS server that would otherwise be unreachable, and falsifying the source port to be the DNS service port (port 53). If such a packet were sent to the router UDP echo port, the result would be the router sending a DNS packet to the server in question. No outgoing access list checks would be applied to this packet because it would be considered to be locally generated by the router itself.

Although most abuses of the small services can be avoided or made less dangerous by antispoofing access lists, the services should almost always be disabled in any router which is part of a firewall or lies in a security-critical part of the network. Because the services are rarely used, the best policy is usually to disable them on all routers of any description.

The configuration that will be delivered to the router to disable TCP small servers is as follows:

no service tcp-small-servers

You can undo this fix using the Cisco SDM Security Audit feature. To learn how, see the Security Audit online help in Cisco SDM. For more information, click Cisco Router and Security Device Manager.

	Cisco SDM Express
1-28	OL-7141-04

Image 34

Contents Cisco SDM Express User’s Guide Cisco SDM Express User’s Guide N T E N T S Contents Cisco SDM Express Edit Mode Contents Welcome A P T E RHostname Field Basic ConfigurationUsername and Password Fields Domain Name FieldRouter Provisioning Enable Secret Password FieldSDM Express Secure Device Provisioning Provision From USB TokenUSB Token or USB Flash CNS ServerProvision From USB Flash File Selection Name Wireless Interface ConfigurationLAN Interface Configuration SizeIP Address Field Wireless Parameters FieldsInterface/Bridge-to-Interface List Subnet Mask FieldRefresh, Apply Changes, Discard Changes Buttons Dhcp Server ConfigurationEnable Dhcp server on the LAN interface Check Box Starting IP Address FieldPrimary Domain Name Server Field Ending IP Address FieldSecondary Domain Name Server Field Use these DNS values for Dhcp clients Check Box Enable PPPoE Check BoxInternet WAN Ethernet Interface Address Type ListConfirm Password Field Authentication Type Check BoxPassword Field Username FieldInternet WAN Autodetect Encapsulation Status Icon and Enable or Disable ButtonInternet WAN User Specified Encapsulation Virtual Path Identifier Field Encapsulation ListVirtual Circuit Identifier Field IP Address for Remote Connection in Central Office Field WAN Interface Selection Enable or Disable ButtonAdd Connection, Edit, Delete Buttons Interface List Serial ConnectionRefresh Button Frame Relay Configuration Settings Link IP Address and Subnet Mask FieldsLMI Type Field Frame Relay Configuration SettingsDlci Field Use Ietf Frame Relay Encapsulation Check BoxInternet WAN Advanced Options CNS Server InformationPrimary DNS Field Firewall ConfigurationSecondary DNS Field Security Settings Disable Snmp Services on Your Router Check Box Disable Services that Involve Security Risks Check BoxEncrypt Passwords Check Box Enhance Security on Router Access Check BoxSummary Supplementary Help Cisco Network ServicesCisco Router and Security Device Manager Security Settings Disable SnmpDisable Finger Service Disable PAD ServiceDisable TCP Small Servers Service Disable UDP Small Servers Service Disable IP Bootp Server ServiceDisable IP Identification Service Disable CDPDisable IP Source Route Enable Password Encryption ServiceEnable Netflow Switching Enable TCP Keepalives for Inbound Telnet SessionsEnable Sequence Numbers and Time Stamps on Debugs Enable TCP Keepalives for Outbound Telnet SessionsEnable IP CEF Set Scheduler Interval Set Scheduler AllocateSet TCP Synwait Time Enable Logging Enable Unicast RPF on Outside InterfacesDisable IP Gratuitous ARPs Disable IP RedirectsDisable IP Proxy ARP Disable IP Directed BroadcastDisable MOP Service Disable IP UnreachablesDisable IP Mask Reply Set Minimum Password Length to Less Than 6 CharactersSet Authentication Failure Rate to Less Than 3 Retries Set BannerEnable Telnet Settings Enable SSH for Access to the RouterHelp Button Cisco SDM Express ButtonsAbout Button Apply Changes Button Reconnecting to the Router After Initial ConfigurationExit Button Discard Changes ButtonTesting Your WAN Internet Connection SDP Troubleshooting Tips Troubleshooting TipsIcons OverviewLAN Fields Internet WAN Fields Firewall FieldsUsername/Login Password/Password is Encrypted Fields Edit/Delete ButtonsEdit a Username Encrypt password using MD5 hash algorithm CheckboxBridge/Do not bridge LAN interface with wireless Checkbox Refresh/Apply Changes/Discard Changes ButtonsLAN interface configuration Fields WirelessWAN-Unable to Configure WAN Interface No WAN AvailableDelete Connection Enable Firewall/Disable Firewall ButtonsFirewall Unable to configure Firewall Window Unable to Configure NATAdd or Edit Address Translation Rule Routing Disable Services that Involve Security Risks Checkbox Select All Recommended by Cisco CheckboxEncrypt Passwords Checkbox Synchronize with my local PC clock CheckboxTools PingSource Field Update SDM from Cisco.comTo clear the output of the ping command Destination FieldUpdate SDM from CD Update SDM from Local PCCCO Login Synchronize Checkbox Date and Time PropertiesEdit Date and Time Fields Write down these steps and then reset the router Reset to Factory DefaultsSave Running Config to PC Apply ButtonReconfiguring Your PC with a Static or a Dynamic IP Address Microsoft Windows NT Feature Not Available Cisco SDM Express Edit Mode Feature Not Available D E IN-2