16-7
Cisco Router and Security Device Manager Version 2.2 Users Guide
OL-4015-08
Chapter16 Security Audit
Fix It Page
The configuration that will be delivered to the router to disable the Finger service
is as follows:
no service finger
This fix can be undone. To learn how, click Undoing Security Audit Fixes..
Disable PAD Service
Security Audit disables all packet assembler/disassembler (PAD) commands and
connections between PAD devices and access servers whenever possible.
The configuration that will be delivered to the router to disable PAD is as follows:
no service pad
This fix can be undone. To learn how, click Undoing Security Audit Fixes..
Disable TCP Small Servers Service
Security Audit disables small services whenever possible. By default, Cisco
devices running Cisco IOS version 11.3 or earlier offer the small services: echo,
chargen, and discard. (Small services are disabled by default in Cisco IOS
software version12.0 and later.) These services, especially their User Datagram
Protocol (UDP) versions, are infrequently used for legitimate purposes, but they
can be used to launch DoS and other attacks that would otherwise be prevented by
packet filtering.
For example, an attacker might send a Domain Name System (DNS) packet,
falsifying the source address to be a DNS server that would otherwise be
unreachable, and falsifying the source port to be the DNS service port (port 53).
If such a packet were sent to the routers UDP echo port, the result would be the
router sending a DNS packet to the server in question. No ou tgoing access list
checks would be applied to this packet, since it would be consid ered to be locally
generated by the router itself.
Although most abuses of the small services can be avoided or made less dangerous
by anti-spoofing access lists, the services should almost always be disabled in any
router which is part of a firewall or lies in a security-critical part of the network.
Since the services are rarely used, the best policy is usually to disable them on all
routers of any description.