321 Studios OL-7141-04 manual Disable UDP Small Servers Service, Disable IP Bootp Server Service

Page 35

Chapter 1 Cisco SDM Express

Supplementary Help

Disable UDP Small Servers Service

Cisco SDM Express disables small services whenever possible. By default, Cisco devices running Cisco IOS release 11.3 or earlier offer the “small services”: echo, chargen, and discard. (Small services are disabled by default in Cisco IOS software release 12.0 and later.) These services, especially their UDP versions, are infrequently used for legitimate purposes, and they can be used to launch DoS and other attacks that would otherwise be prevented by packet filtering.

For example, an attacker might send a DNS packet, falsifying the source address to be a DNS server that would otherwise be unreachable, and falsifying the source port to be the DNS service port (port 53). If such a packet were sent to the router UDP echo port, the result would be the router sending a DNS packet to the server in question. No outgoing access list checks would be applied to this packet because it would be considered to be locally generated by the router itself.

Although most abuses of the small services can be avoided or made less dangerous by antispoofing access lists, the services should almost always be disabled in any router which is part of a firewall or lies in a security-critical part of the network. Because the services are rarely used, the best policy is usually to disable them on all routers of any description.

The configuration that will be delivered to the router to disable UDP small servers is as follows:

no service udp-small-servers

You can undo this fix using the Cisco SDM Security Audit feature. To learn how, see the Security Audit online help in Cisco SDM. For more information, click Cisco Router and Security Device Manager.

Disable IP BOOTP Server Service

Cisco SDM Express disables Bootstrap Protocol (BOOTP) service whenever possible. BOOTP allows both routers and computers to automatically configure necessary Internet information from a centrally maintained server upon startup, including downloading Cisco IOS software. As a result, BOOTP can potentially be used by an attacker to download a copy of a router’s Cisco IOS software.

In addition, the BOOTP service is vulnerable to DoS attacks; therefore it should be disabled or filtered by a firewall.

		Cisco SDM Express
		Cisco SDM Express
	OL-7141-04			1-29
	OL-7141-04			1-29

Image 35

Contents Cisco SDM Express User’s Guide Cisco SDM Express User’s Guide N T E N T S Contents Cisco SDM Express Edit Mode Contents A P T E R WelcomeDomain Name Field Basic ConfigurationUsername and Password Fields Hostname FieldSDM Express Enable Secret Password FieldRouter Provisioning CNS Server Provision From USB TokenUSB Token or USB Flash Secure Device ProvisioningProvision From USB Flash File Selection Size Wireless Interface ConfigurationLAN Interface Configuration NameSubnet Mask Field Wireless Parameters FieldsInterface/Bridge-to-Interface List IP Address FieldStarting IP Address Field Dhcp Server ConfigurationEnable Dhcp server on the LAN interface Check Box Refresh, Apply Changes, Discard Changes ButtonsSecondary Domain Name Server Field Ending IP Address FieldPrimary Domain Name Server Field Address Type List Enable PPPoE Check BoxInternet WAN Ethernet Interface Use these DNS values for Dhcp clients Check BoxUsername Field Authentication Type Check BoxPassword Field Confirm Password FieldInternet WAN User Specified Encapsulation Status Icon and Enable or Disable ButtonInternet WAN Autodetect Encapsulation Virtual Circuit Identifier Field Encapsulation ListVirtual Path Identifier Field IP Address for Remote Connection in Central Office Field Add Connection, Edit, Delete Buttons Enable or Disable ButtonWAN Interface Selection Refresh Button Serial ConnectionInterface List IP Address and Subnet Mask Fields Frame Relay Configuration Settings LinkUse Ietf Frame Relay Encapsulation Check Box Frame Relay Configuration SettingsDlci Field LMI Type FieldCNS Server Information Internet WAN Advanced OptionsSecondary DNS Field Firewall ConfigurationPrimary DNS Field Security Settings Disable Services that Involve Security Risks Check Box Disable Snmp Services on Your Router Check BoxSummary Enhance Security on Router Access Check BoxEncrypt Passwords Check Box Cisco Router and Security Device Manager Cisco Network ServicesSupplementary Help Disable Snmp Security SettingsDisable PAD Service Disable Finger ServiceDisable TCP Small Servers Service Disable IP Bootp Server Service Disable UDP Small Servers ServiceDisable CDP Disable IP Identification ServiceEnable Password Encryption Service Disable IP Source RouteEnable TCP Keepalives for Inbound Telnet Sessions Enable Netflow SwitchingEnable IP CEF Enable TCP Keepalives for Outbound Telnet SessionsEnable Sequence Numbers and Time Stamps on Debugs Set Scheduler Allocate Set Scheduler IntervalSet TCP Synwait Time Enable Unicast RPF on Outside Interfaces Enable LoggingDisable IP Redirects Disable IP Gratuitous ARPsDisable IP Directed Broadcast Disable IP Proxy ARPDisable IP Unreachables Disable MOP ServiceSet Minimum Password Length to Less Than 6 Characters Disable IP Mask ReplySet Banner Set Authentication Failure Rate to Less Than 3 RetriesEnable SSH for Access to the Router Enable Telnet SettingsAbout Button Cisco SDM Express ButtonsHelp Button Discard Changes Button Reconnecting to the Router After Initial ConfigurationExit Button Apply Changes ButtonTesting Your WAN Internet Connection Troubleshooting Tips SDP Troubleshooting TipsLAN Fields OverviewIcons Firewall Fields Internet WAN FieldsEdit/Delete Buttons Username/Login Password/Password is Encrypted FieldsRefresh/Apply Changes/Discard Changes Buttons Encrypt password using MD5 hash algorithm CheckboxBridge/Do not bridge LAN interface with wireless Checkbox Edit a UsernameNo WAN Available WirelessWAN-Unable to Configure WAN Interface LAN interface configuration FieldsFirewall Enable Firewall/Disable Firewall ButtonsDelete Connection Unable to Configure NAT Unable to configure Firewall WindowAdd or Edit Address Translation Rule Routing Select All Recommended by Cisco Checkbox Disable Services that Involve Security Risks CheckboxSynchronize with my local PC clock Checkbox Encrypt Passwords CheckboxPing ToolsDestination Field Update SDM from Cisco.comTo clear the output of the ping command Source FieldCCO Login Update SDM from Local PCUpdate SDM from CD Edit Date and Time Fields Date and Time PropertiesSynchronize Checkbox Apply Button Reset to Factory DefaultsSave Running Config to PC Write down these steps and then reset the routerReconfiguring Your PC with a Static or a Dynamic IP Address Microsoft Windows NT Feature Not Available Cisco SDM Express Edit Mode Feature Not Available D E IN-2