321 Studios OL-7141-04 manual Disable IP Proxy ARP, Disable IP Directed Broadcast

Page 44

Chapter 1 Cisco SDM Express

Supplementary Help

rules; some attacks are based on this. Disabling ICMP redirects will cause no operational impact to the network, and it eliminates this possible method of attack.

The configuration that will be delivered to the router to disable ICMP redirect messages is as follows:

no ip redirects

Disable IP Proxy ARP

Cisco SDM Express disables proxy Address Resolution Protocol (ARP) whenever possible. ARP is used by the network to convert IP addresses into MAC addresses. Normally ARP is confined to a single LAN, but a router can act as a proxy for ARP requests, making ARP queries available across multiple LAN segments. Because proxy ARP breaks the LAN security barrier, use it only between two LANs with an equal security level, and only when necessary.

The configuration that will be delivered to the router to disable proxy ARP is as follows:

no ip proxy-arp

You can undo this fix using the Cisco SDM Security Audit feature. To learn how, see the Security Audit online help in Cisco SDM. For more information, click Cisco Router and Security Device Manager.

Disable IP Directed Broadcast

Cisco SDM Express disables IP directed broadcasts whenever possible. An IP directed broadcast is a datagram sent to the broadcast address of a subnet to which the sending machine is not directly attached. The directed broadcast is routed through the network as a unicast packet until it arrives at the target subnet, where it is converted into a link-layer broadcast. Because of the nature of the IP addressing architecture, only the last router in the chain, the one that is connected directly to the target subnet, can conclusively identify a directed broadcast. Directed broadcasts are occasionally used for legitimate purposes, but such use is not common outside the financial services industry.

IP directed broadcasts are used in the extremely common and popular “smurf” Denial-of-Service attack, and they can also be used in related attacks. In a “smurf” attack, the attacker sends ICMP echo requests from a falsified source address to a

	Cisco SDM Express
1-38	OL-7141-04

Image 44

Contents Cisco SDM Express User’s Guide Cisco SDM Express User’s Guide N T E N T S Contents Cisco SDM Express Edit Mode Contents Welcome A P T E RBasic Configuration Username and Password FieldsHostname Field Domain Name FieldSDM Express Enable Secret Password FieldRouter Provisioning Provision From USB Token USB Token or USB FlashSecure Device Provisioning CNS ServerProvision From USB Flash File Selection Wireless Interface Configuration LAN Interface ConfigurationName SizeWireless Parameters Fields Interface/Bridge-to-Interface ListIP Address Field Subnet Mask FieldDhcp Server Configuration Enable Dhcp server on the LAN interface Check BoxRefresh, Apply Changes, Discard Changes Buttons Starting IP Address FieldSecondary Domain Name Server Field Ending IP Address FieldPrimary Domain Name Server Field Enable PPPoE Check Box Internet WAN Ethernet InterfaceUse these DNS values for Dhcp clients Check Box Address Type ListAuthentication Type Check Box Password FieldConfirm Password Field Username FieldInternet WAN User Specified Encapsulation Status Icon and Enable or Disable ButtonInternet WAN Autodetect Encapsulation Virtual Circuit Identifier Field Encapsulation ListVirtual Path Identifier Field IP Address for Remote Connection in Central Office Field Add Connection, Edit, Delete Buttons Enable or Disable ButtonWAN Interface Selection Refresh Button Serial ConnectionInterface List Frame Relay Configuration Settings Link IP Address and Subnet Mask FieldsFrame Relay Configuration Settings Dlci FieldLMI Type Field Use Ietf Frame Relay Encapsulation Check BoxInternet WAN Advanced Options CNS Server InformationSecondary DNS Field Firewall ConfigurationPrimary DNS Field Security Settings Disable Snmp Services on Your Router Check Box Disable Services that Involve Security Risks Check BoxSummary Enhance Security on Router Access Check BoxEncrypt Passwords Check Box Cisco Router and Security Device Manager Cisco Network ServicesSupplementary Help Security Settings Disable SnmpDisable Finger Service Disable PAD ServiceDisable TCP Small Servers Service Disable UDP Small Servers Service Disable IP Bootp Server ServiceDisable IP Identification Service Disable CDPDisable IP Source Route Enable Password Encryption ServiceEnable Netflow Switching Enable TCP Keepalives for Inbound Telnet SessionsEnable IP CEF Enable TCP Keepalives for Outbound Telnet SessionsEnable Sequence Numbers and Time Stamps on Debugs Set Scheduler Interval Set Scheduler AllocateSet TCP Synwait Time Enable Logging Enable Unicast RPF on Outside InterfacesDisable IP Gratuitous ARPs Disable IP RedirectsDisable IP Proxy ARP Disable IP Directed BroadcastDisable MOP Service Disable IP UnreachablesDisable IP Mask Reply Set Minimum Password Length to Less Than 6 CharactersSet Authentication Failure Rate to Less Than 3 Retries Set BannerEnable Telnet Settings Enable SSH for Access to the RouterAbout Button Cisco SDM Express ButtonsHelp Button Reconnecting to the Router After Initial Configuration Exit ButtonApply Changes Button Discard Changes ButtonTesting Your WAN Internet Connection SDP Troubleshooting Tips Troubleshooting TipsLAN Fields OverviewIcons Internet WAN Fields Firewall FieldsUsername/Login Password/Password is Encrypted Fields Edit/Delete ButtonsEncrypt password using MD5 hash algorithm Checkbox Bridge/Do not bridge LAN interface with wireless CheckboxEdit a Username Refresh/Apply Changes/Discard Changes ButtonsWireless WAN-Unable to Configure WAN InterfaceLAN interface configuration Fields No WAN AvailableFirewall Enable Firewall/Disable Firewall ButtonsDelete Connection Unable to configure Firewall Window Unable to Configure NATAdd or Edit Address Translation Rule Routing Disable Services that Involve Security Risks Checkbox Select All Recommended by Cisco CheckboxEncrypt Passwords Checkbox Synchronize with my local PC clock CheckboxTools PingUpdate SDM from Cisco.com To clear the output of the ping commandSource Field Destination FieldCCO Login Update SDM from Local PCUpdate SDM from CD Edit Date and Time Fields Date and Time PropertiesSynchronize Checkbox Reset to Factory Defaults Save Running Config to PCWrite down these steps and then reset the router Apply ButtonReconfiguring Your PC with a Static or a Dynamic IP Address Microsoft Windows NT Feature Not Available Cisco SDM Express Edit Mode Feature Not Available D E IN-2