Manuals / Brands / Communications / Two-Way Radio / 321 Studios / Communications / Two-Way Radio

321 Studios OL-7141-04 Disable UDP Small Servers Service, Disable IP BOOTP Server Service

1 74

Download 74 pages, 849 Kb

1-29

Cisco SDM Express

OL-7141-04

Chapter1 Cisco SDM Express

Supplementary Help

Disable UDP Small Servers Service

Cisco SDM Express disables small services whenever possible. By default, Cisco

devices running Cisco IOS release 11.3 or earlier offer the “small servi ces”: echo,

chargen, and discard. (Small services are disabled by default in Cisco IOS

software release12.0 and later.) These services, especially their UDP versions,

are infrequently used for legitimate purposes, and they can be used to launch DoS

and other attacks that would otherwise be prevented by packet filtering.

For example, an attacker might send a DNS packet, falsifying the source address

to be a DNS server that would otherwise be unreachable, and falsifying t he source

port to be the DNS service port (port 53). If such a packet were sent to the ro uter

UDP echo port, the result would be the router sending a DNS packet to the server

in question. No outgoing access list checks would be applied to this packet

because it would be considered to be locally gener ated by the router itself.

Although most abuses of the small services can be avoided or made less dangerous

by antispoofing access lists, the services should almost always be disabled in any

router which is part of a firewall or lies in a security-critical part of the network.

Because the services are rarely used, the best policy is usually to disable them on

all routers of any description.

The configuration that will be delivered to the router to disable UDP small servers

is as follows:

no service udp-small-servers

You can undo this fix using the CiscoSD M Security Audit feature. To learn how,

see the Securi ty Audit online h elp in Cisco SDM. For more information, click

CiscoRouter and Security Device Manager.

Disable IP BOOTP Server Service

Cisco SDM Express disables Bootstrap Protocol (BOOTP) service whenever

possible. BOOTP allows both routers and computers to automatically configure

necessary Internet information from a centrally maintained server upon startup,

including downloading Cisco IOS software. As a result, BOOTP can potentially

be used by an attacker to download a copy of a router’s Cisco IOS software.

In addition, the BOOTP service is vulnerable to DoS attacks; therefore it should

be disabled or filtered by a firewall.

Contents

Main Cisco SDM Express Users Guide Page CONTENTS Page Page Page CHAPTER Cisco SDM Express Welcome Basic Configuration Hostname Field Username and Password Fields Enable Secret Password Field Router Provisioning SDM Express USB Token or USB Flash Secure Device Provisioning CNS Server Provision From USB Token Provision From USB Flash File Selection Name Size Time Modified Wireless Interface Configuration LAN Interface Configuration Interface/Bridge-to-Interface List IP Address Field Subnet Mask Field Subnet Bits Field Wireless Parameters Fields DHCP Server Configuration Enable DHCP server on the LAN interface Check Box Starting IP Address Field Ending IP Address Field Import all DHCP option parameters to the DHCP server database Check Box Primary Domain Name Server Field Secondary Domain Name Server Field Use these DNS values for DHCP clients Check Box Internet (WAN): Ethernet Interface Enable PPPoE Check Box Authentication Type Check Box Username Field Confirm Password Field Internet (WAN): Autodetect Encapsulation Status Icon and Enable or Disable Button Internet (WAN): User Specified Encapsulation Status Icon and Enable or Disable Button Encapsulation List Virtual Path Identifier Field Virtual Circuit Identifier Field IP Address for Remote Connection in Central Office Field Authentication Type Check Box Username Field Confirm Password Field WAN Interface Selection Add Connection, Edit, Delete Buttons Enable or Disable Button Interface List Serial Connection Encapsulation List IP Address and Subnet Mask Fields Frame Relay Configuration Settings Link Frame Relay Configuration Settings DLCI Field LMI Type Field Use IETF Frame Relay Encapsulation Check Box Internet (WAN): Advanced Options Create Default Route Check Box CNS Server Information Enter the CNS Server IP Address /Hostname Field Enter the CNS ID String Field Firewall Configuration Security Settings Disable SNMP Services on Your Router Check Box Disable Services that Involve Security Risks Check Box Enable Services for Enhanced Security on the Router/Network Check Box Enhance Security on Router Access Check Box Encrypt Passwords Check Box Summary Supplementary Help Cisco Router and Security Device Manager Cisco Network Services Security Settings Disable SNMP Disable Finger Service Disable PAD Service Disable TCP Small Servers Service Disable UDP Small Servers Service Disable IP BOOTP Server Service Disable IP Identification Service Disable CDP Disable IP Source Route Enable Password Encryption Service Enable Netflow Switching Enable TCP Keepalives for Inbound Telnet Sessions Enable TCP Keepalives for Outbound Telnet Sessions Enable Sequence Numbers and Time Stamps on Debugs Enable IP CEF Set Scheduler Interval Set Scheduler Allocate Set TCP Synwait Time Enable Logging Enable Unicast RPF on Outside Interfaces Disable IP Gratuitous ARPs Disable IP Redirects Disable IP Proxy ARP Disable IP Directed Broadcast Disable MOP Service Disable IP Unreachables Disable IP Mask Reply Set Minimum Password Length to Less Than 6 Characters Set Authentication Failure Rate to Less Than 3 Retries Set Banner Enable Telnet Settings Enable SSH for Access to the Router Cisco SDM Express Buttons Help Button About Button Exit Button Apply Changes Button Reconnecting to the Router After Initial Configuration Testing Your WAN (Internet) Connection SDP Troubleshooting Tips Troubleshooting Tips CHAPTER Cisco SDM Express Edit Mode Overview Icons LAN Fields Internet (WAN) Fields Firewall Fields Basic Configuration Edit/Delete Buttons Username/Login Password/Password is Encrypted Fields Enable Secret Password Field Hostname Field LAN Bridge/Do not bridge LAN interface with wireless Checkbox LAN interface configuration Fields Wireless WANUnable to Configure WAN Interface No WAN Available Delete Connection Firewall Enable Firewall/Disable Firewall Buttons Unable to configure Firewall Window NAT Unable to Configure NAT Add or Edit Address Translation Rule Original Port Translated Port Protocol Routing Enable Check Box Forwarding (Next Hop) Field Security Settings Select All (Recommended by Cisco) Checkbox Disable Services that Involve Security Risks Checkbox Enable Services for Enhanced Security on the Router/Network Checkbox Encrypt Passwords Checkbox Synchronize with my local PC clock Checkbox Tools Ping Option Telnet Option Cisco SDM Option Software Update Option Update SDM from Cisco.com CCO Login Update SDM from Local PC Update SDM from CD Date and Time Properties Synchronize with my local PC clock Checkbox Synchronize Checkbox Edit Date and Time Fields Apply Button Reset to Factory Defaults Step 1: Save Running Config to PC Step 2: Write down these steps and then reset the router Reconfiguring Your PC with a Static or a Dynamic IP Address Page Feature Not Available Page INDEX B C D L M N P