16-9
Cisco Router and Security Device Manager Version 2.2 Users Guide
OL-4015-08
Chapter16 Security Audit
Fix It Page
In addition, the BOOTP service is vulnerable to DoS attacks; therefore it should
be disabled or filtered via a firewall for this reason as well.
The configuration that will be delivered to the router to disable BOOTP is as
follows:
no ip bootp server
This fix can be undone. To learn how, click Undoing Security Audit Fixes.
Disable IP Identification Service
Security Audit disables identification support whenever possible. Identification
support allows you to query a TCP port for identification. This feature enables an
unsecure protocol to report the identity of a client initiating a TCP connection and
a host responding to the connection. With identification support, you can connec t
a TCP port on a host, issue a simple text string to request information, and receive
a simple text-string reply.
It is dangerous to allow any system on a directly connected segment to learn that
the router is a Cisco device and to determine the model number and the Cisco IOS
software version being run. This information may be used to design attacks
against the router.
The configuration that will be delivered to the router to disable the IP
identification service is as follows:
no ip identd
This fix can be undone. To learn how, click Undoing Security Audit Fixes.
Disable CDP
Security Audit disables Cisco Discovery Protocol (CDP) whenever possible. CDP
is a proprietary protocol that Cisco routers use to identify each other on a LAN
segment. This is dangerous in that it allows any system on a directly connected
segment to learn that the router is a Cisco device and to determine the model
number and the Cisco IOS software version being run. This information may be
used to design attacks against the router.
The configuration that will be delivered to the router to disable CDP is as follows:
no cdp run