Chapter16 Security Audit
Fix It Page
16-12
Cisco Router and Security Device Manager Version 2.2 Users Guide
OL-4015-08
service sequence-numbers
Enable IP CEF
Security Audit enables Cisco Express Forwarding (CEF) or Distri buted Cisco
Express Forwarding (DCEF) whenever possible. Because there is no need to build
cache entries when traffic starts arriving at new destinations, CEF behaves more
predictably than other modes when presented with large volumes of traffic
addressed to many destinations. Routes configured for CEF perform better und er
SYN attacks than routers using the traditional cache.
The configuration that will be delivered to the router to enable CEF is as follows:
ip cef
Disable IP Gratuitous ARPs
Security Audit disables IP gratuitous Address Resolution Protocol (ARP) requests
whenever possible. A gratuitous ARP is an ARP broadcast in which the source
and destination MAC addresses are the same. It is used primarily by a host to
inform the network about its IP address. A spoofed gratuitous ARP message ca n
cause network mapping information to be stored incorrectly, causing network
malfunction.
To disable gratuitous ARPs, the following configuration will be delivered to the
router:
no ip gratuitous-arps
This fix can be undone. To learn how, click Undoing Security Audit Fixes.
Set Minimum Password Length to Less Than 6 Characters
Security Audit configures your router to require a minimum password length of
six characters whenever possible. One method attackers use to crack passwords is
to try all possible combinations of characters until the password is discovered.
Longer passwords have exponentially more possible combinations of characters,
making this method of attack much more difficult.