Turning Off and Configuring Network Services

When running in monitor mode, TCP Intercept will forward and monitor these TCP threeway handshakes. When it sees one that’s poking along beyond an administrator-defined interval, TCP Intercept will intervene and close that connection. This means that the server won’t leave resources open and hanging while waiting for the final ACK to come back.

When enabling TCP Intercept, you use an access list to define which connections TCP Intercept will be applied.

Suppose that you want to use TCP intercept to protect a server in your DMZ at IP address 172.16.10.25. The configuration commands would look like this:

Lab_B#config t

Lab_B(config)#access-list 151 permit tcp any host 172.16.10.25

Lab_B(config)#ip tcp intercept list 151

Lab_B(config)#ip tcp intercept mode intercept

Lab_B(config)#^Z

Lab_B#

If your problem is fighting DoS attacks, your solution is to use TCP Intercept.

Turning Off and Configuring Network

Services

Besides encryption, ACLs, and authorization, there are some additional commands you can configure on your perimeter router to limit access to it. By default, the Cisco IOS runs some services that are unnecessary to its normal operation, and if you don’t disable them, they can be easy targets for DoS attacks and break-in attempts.

Plus, if you just use a Cisco router’s default settings, it won’t check routing paths to stop illegitimate traffic, and ARP traffic will be allowed to pass through its interfaces.

Blocking SNMP Packets

The Cisco IOS default configurations permit remote access from any source, so unless you’re either way too trusting or insane, it should be totally obvious to you that those configurations need a bit of attention. You’ve got to restrict them. If you don’t, the router will be a pretty easy target for an attacker who wants to log in to it. This is where access lists come into the game— they can really protect you.

If you place the following command on the serial0/0 interface of the perimeter router, it’ll stop any SNMP packets from entering the router or the DMZ. (You’d also need to have a permit command along with this list to really make it work, but this is just an example.)

126 Chapter 4 Cisco Perimeter Router Problems and Solutions

Lab_B(config)#access-list 110 deny udp any any eq snmp

Lab_B(config)#interface s0/0

Lab_B(config-if)#access-group 110 in

Disabling Echo

In case you don’t know this already, small services are servers (daemons) running in the router that are quite useful for diagnostics. And here we go again—by default, the Cisco router has a series of diagnostic ports enabled for certain UDP and TCP services, including echo, chargen, and discard.

When a host attaches to those ports, a small amount of CPU is consumed to service these requests. All a single attacking device needs to do is send a whole slew of requests with different, random, phony source IP addresses to overwhelm the router, making it slow down or even fail. You can use the no version of these commands to stop a chargen attack:

Lab_B(config)#no service tcp-small-servers

Lab_B(config)#no service udp-small-servers

Finger is a utility program designed to allow users of Unix hosts on the Internet to get information about each other:

Lab_B(config)#no service finger

This matters because the finger command can be used to find information about all users on the network and/or the router. It’s also why you should disable it. The finger command is equivalent to issuing the show users command on the router.

Here are the TCP small services:

Echo Echoes back whatever you type. Type the command telnet x.x.x.x echo ? to see the options.

Chargen Generates a stream of ASCII data. Type the command telnet x.x.x.x chargen ? to see the options.

Discard Throws away whatever you type. Type the command telnet x.x.x.x discard ? to see the options.

Daytime Returns the system date and time, if correct. It is correct if you are running NTP or have set the date and time manually from the exec level. Type the command telnet x.x.x.x daytime ? to see the options.

The UDP small services are as follows:

Echo Echoes the payload of the datagram you send.

Discard Silently pitches the datagram you send.

Chargen Pitches the datagram you send and responds with a 72-character string of ASCII characters terminated with a CR+LF.

Turning Off BOOTP and Auto-Config

Again, by default, the Cisco router also offers async line BOOTP service as well as remote autoconfiguration. To disable these functions on your Cisco router, use the following commands:

Lab_B(config)#no ip boot server

Lab_B(config)#no service config

Disabling the HTTP Interface

The ip http server command may be useful for configuring and monitoring the router, but the cleartext nature of HTTP can obviously be a security risk. To disable the HTTP process on your router, use the following command:

Lab_B(config)#no ip http server

To enable an HTTP server on a router for AAA, use the global configuration command ip http server.

Disabling IP Source Routing

The IP header source-route option allows the source IP host to set a packet’s route through the IP network. With IP source routing enabled, packets containing the source-route option are forwarded to the router addresses specified in the header. Use the following command to disable any processing of packets with source-routing header options:

Lab_B(config)#no ip source-route

Disabling Proxy ARP

Proxy ARP is the technique in which one host—usually a router—answers ARP requests intended for another machine. By “faking” its identity, the router accepts responsibility for getting those packets to the “real” destination. Proxy ARP can help machines on a subnet reach remote subnets without configuring routing or a default gateway. The following command disables proxy ARP:

Lab_B(config)#interface s0/0

Lab_B(config-if)#no ip proxy-arp

Apply this command to all your router’s interfaces.

128 Chapter 4 Cisco Perimeter Router Problems and Solutions

Disabling Redirect Messages

ICMP redirect messages are used by routers to notify hosts on the data link that a better route is available for a particular destination. To disable the redirect messages so bad people can’t draw out your network topology with this information, use the following command:

Lab_B(config)#interface s0/0

Lab_B(config-if)#no ip redirects

Apply this command to all your router’s interfaces.

Disabling the Generation of ICMP Unreachable Messages

The no ip unreachables command prevents the perimeter router from divulging topology information by telling external hosts which subnets are not configured. This command is used on a router’s interface that is connected to an outside network:

Lab_B(config)#interface s0/0

Lab_B(config-if)#no ip unreachables

Again, apply this to all the interfaces of your router.

Disabling Multicast Route Caching

The multicast route cache lists multicast routing cache entries. These packets can be read and so they create a security problem. To disable the multicast route caching, use the following command:

Lab_B(config)#interface s0/0

Lab_B(config-if)#no ip mroute-cache

Apply this command to all the interfaces of your router.

Disabling the Maintenance Operation Protocol (MOP)

The Maintenance Operation Protocol (MOP) works at the Data Link and Network layers in the DECnet protocol suite and is used for utility services such as uploading and downloading system software, remote testing, and problem diagnosis. So, who uses DECnet? Anyone with their hands up? I didn’t think so. To disable this service, use the following command:

Lab_B(config)#interface s0/0

Lab_B(config-if)#no mop enabled

Apply this command to all the interfaces of your router.