Chapter24 Security Audit
Fix It Page
24-10
Cisco Router and Security Device Manager 2.5 User’s Guide
OL-4015-12
Disable IP Source Route
Security Audit disables IP source routing whenever possible. The IP protocol
supports source routing options that allow the sender of an IP datagram to control
the route that the datagram will take toward its ultimate destination, and generally
the route that any reply will take. These options are rarely used for legitimate
purposes in networks. Some older IP implementations do not process
source-routed packets properly, and it may be possible to crash machines running
these implementations by sending them datagrams with source routing options.
Disabling IP source routing will cause a Cisco router to never forward a n IP
packet that carries a source routing option.
The configuration that will be delivered to the router to disable IP source routing
is as follows:
no ip source-route
This fix can be undone. To learn how, click Undoing Security Audit Fixes.
Enable Password Encryption Service
Security Audit enables password encryption whenever possible. Password
encryption directs the Cisco IOS software to encrypt the passwords, Challenge
Handshake Authentication Protocol (CHAP) secrets, and similar data that are
saved in its configuration file. This is useful for preventing casual observers from
reading passwords, for example, when they happen to look at the screen over an
administrator’s shoulder.
The configuration that will be delivered to the router to enable password
encryption is as follows:
service password-encryption
This fix can be undone. To learn how, click Undoing Security Audit Fixes.