All about routers

Expert Reference Series ofWhite Papers
1-800-COURSES www.globalknowledge.com
HowVulnerable Are
Your Cisco IOS
Routers?

Copyright ©2009 Global Knowledge Training LLC. All rights reserved. 2
HowVulnerable AreYour Cisco IOS
Routers?
Carol Kavalla, Global Knowledge Instructor, BS, CCSI, CCDP
Introduction
Security of the network is a top priority for companies. Of course, this would include securing Cisco routers. It
may be surprising to some that Cisco routers run many services that could create vulnerabilities. Some of these
services are enabled by default.
This white paper lists a number of the services that should be disabled and why.Additionally, some best prac-
tices for securing your Cisco routers are defined.
This is not intended to be an exhaustive listing of all services enabled on Cisco routers that could create vulner-
abilities, nor of all best practices for configuring Cisco routers.There are several Cisco security courses that cover
this information in depth. Rather, this paper is meant to be a vehicle for discussion regarding the security of
Cisco routers.
Services that Are Enabled by Default
The services below are enabled by default (in some cases depending on the version of IOS installed on the
router) and should be disabled if not in use.
BOOTP server
This allows a router to act as a BOOTP server for other routers; thereby allowing them to load their operating
system over the network from the router acting as the BOOTP server.
A hacker could use the BOOTP service to download a copy of the router’s IOS software.The tools for this type of
attack are available on the Internet.
If not required, the BOOTP service should be disabled.The following global command can be used to disable
BOOTP: no ip bootp server.
Cisco Discovery Protocol (CDP)
Cisco Discover Protocol is used to obtain information about directly connected Cisco neighbors.The informa-
tion gleaned from CDP includes ip addresses, hardware model information, and operating system version.This

feature could allow a hacker to gain information about the configuration of the device and of the network
infrastructure. If not needed, it should be disabled globally or on an interface by interface basis.
CDP can be disabled globally with the no cdp run command and on the interface with the no cdp enable
command.
CDP needs to be enabled when using Cisco IP phones. If it has been disabled globally on the switch, it can be
enabled on the interface using the cdp enable command.
There are several known attacks on the Cisco IP Phone CDP feature, so it is a decision for each network adminis-
trator to determine the risk versus the obvious benefits of CDP to support Cisco IP Telephony solutions.
HTTP Configuration and Monitoring
The default setting for this service is device-dependent. HTTP service allows the router to be monitored or con-
figured from a web browser. HTTP is a clear-text protocol and is vulnerable to various packet-capture methods.
A hacker could monitor network traffic and capture authentication usernames and passwords.This issue is made
more serious when the enable password is used for authentication because this knowledge would give the at-
tacker full administrative access to the device. Once usernames and passwords have been captured, it is simply
a matter of using the credentials to log into the router.
If not required, the HTTP service should be disabled. If web access to the device is required, consider using
HTTPS or Secure Shell (SSH).The encrypted HTTPS and SSH services may require an IOS or hardware upgrade.
The HTTP service can be disabled with the following IOS global command: no ip http server.
Domain Name System (DNS)
By default, Cisco routers broadcast name requests to 255.255.255.255.A hacker who is able to capture network
traffic could monitor DNS queries from the Cisco Router.
Domain lookups can be disabled with the following global command: no ip domain-lookup.
Packet Assembler / Disassembler (PAD)
The Packet Assembler / Disassembler service enables X.25 connections between network systems.The PAD ser-
vice is enabled by default on most Cisco IOS devices, but it is only required if support for X.25 links is necessary.
Running unused services increases the chances of a hacker finding a security hole or compromising a device.
The PAD service can be disabled with the following global configuration: no service pad.

Internet Control Message Protocol (ICMP) Redirects
ICMP redirects cause the router to send ICMP redirect messages whenever the router is forced to resend a
packet through the same interface on which it was received. By sending ICMP redirects, a hacker can redirect
packets to an untrusted device.
To stop ICMP redirects, use the following interface command: no ip redirects.This needs to be done on all
interfaces.
IP Source Routing
IP source routing is a feature whereby a network packet can specify how it should be routed through the net-
work. IP source routing can allow a hacker to specify a route for a network packet to follow, possibly to bypass a
Firewall or an Intrusion Detection System (IDS).A hacker could also use source routing to capture network traffic
by routing it through a system controlled by the attacker.
A hacker would have to control either a routing device or an end point device in order to modify a packets route
through the network. However, tools are available on the Internet that would allow a hacker to specify source
routes.Tools are also available to modify network routing using vulnerabilities in some routing protocols.
This can be disabled using the global command: no ip source-route.
Finger Service
Finger service allows a hacker to find out who is logged into the router and allows them to find out valid login
names.The information they could access includes the processes running on the system, the line number, con-
nection name, idle time, and terminal location.This information is provided through the Cisco IOS software
show users EXEC command. Unauthorized persons can use this information for reconnaissance attacks.
This service can easily be disabled using the global command: no service finger or no ip finger (depend-
ing on the version of code).This command keeps your router from replying to finger requests. In addition to this
command, an inbound access list that blocks port 79 should be applied.
Proxy ARP
This feature configures the router to act as a proxy for Layer 2 address resolution when hosts have no default
gateway configured.When a host sends an ARP, the router responds to it with its own mac address as the one
to use for the remote system.When DHCP is being used, there is no need to have Proxy ARP enabled.Attackers
may be able to spoof packets and gather information about your router and your network.
Proxy ARP can be disabled on the interface with the following command: no ip proxy-arp.

IP Directed Broadcast
This is enabled by default prior to Cisco IOS software Release 12.0 and disabled by default in release 12.0 or
later. IP-directed broadcasts are used in the smurf denial of service (DoS) attack and other related attacks.
Services that Are Disabled by Default
Configuration Auto-loading
Auto-loading of configuration files from a network server should remain disabled when not in use by the router.
FTP Server
The FTP server enables you to use our router as an FTP server for FTP client requests. Because it allows access to
certain files in the router Flash memory, this service should remain disabled when it is not required.
TFTP Server
The TFTP server enables you to use your router as a TFTP server for TFTP clients. It allows access to certain files
in your Flash memory.This service should remain disabled if not required.
NetworkTime Protocol (NTP)
When enabled, the router acts as a time server for other network devices. If configured insecurely, NTP can be
used to corrupt the router clock and, potentially, the clock of other devices that learn time from the router. Cor-
rect time is essential for setting proper time stamps for IPsec encryption services, log data, and diagnostic and
security alerts. If this service is used, it restricts which devices have access to NTP.
ICMP Mask Reply
When enabled, this service tells the router to respond to ICMP mask requests by sending ICMP mask reply
messages containing the interface IP address mask.This information can be used to map the network, and this
service should be explicitly disabled on interfaces to untrusted networks.
TCP keepalives
TCP keepalives help terminate TCP connections where a remote host has rebooted or otherwise stopped pro-
cessing TCP traffic.This connection could become orphaned, and a hacker could attempt a DoS attack against
a Cisco router by exhausting the number of possible connections.TCP keepalives should be enabled globally to
confirm that a remote connection is valid and, if not, terminate any orphaned connections.
This can be configured from global configuration mode service tcp-keepalives-in.
Additional Security Issues
In addition to the services listed above, the following security issues should be considered when configuring a
Cisco router.

Router Interfaces
Unused router interfaces should be disabled to limit unauthorized access to the router and to the network.
ConnectionTimeout
Connection timeouts can be configured for console ports, auxiliary ports, and VTY lines. If an administrator does
not correctly terminate the connection, it will automatically close after the timeout expires. However, if a time-
out is not configured, or is configured to be a long timeout, an unauthorized user may be able to gain access
using the administrator’s previously logged-in connection.
The attacker would have to gain physical access to the device to use the console port.A default timeout of 10
minutes is configured on the router console port.
SoftwareVersion
It is extremely important that software be regularly maintained with patches and upgrades in order to help
mitigate the risk of a hacker exploiting a known software vulnerability.
Auxiliary Port
The auxiliary port’s primary purpose is to provide remote administration capability. It can allow a remote admin-
istrator to use a modem to dial into the Cisco device.
If not in use, the auxiliary port exec should be disabled.This can be done with the no exec command on the
aux port:.
If the auxiliary port is required for remote administration, the callback feature can be configured to dial a spe-
cific preconfigured telephone number for additional security.
Minimum Password Length
Cisco introduced an option with IOS version 12.3(1) that forces user, enable, secret, and line passwords to meet
a minimum length.This setting was introduced to help prevent the use of short passwords.With a small mini-
mum password length configured, it is possible for a short password to be used. If a hacker were able to gain
a password through a dictionary-attack or by a brute-force method, the attacker could gain a level of access
to the router.This is made more serious by the fact that a number of dictionary-based password guessing and
password brute-force tools are available on the Internet.
A requirement for a minimum password length can be configured.The minimum password length can be config-
ured with the following command: security passwords min-length length.
Service Password Encryption
Cisco service passwords are stored by default in their clear-text form rather than being encrypted.

If a malicious user were to see a Cisco configuration that contained clear-text passwords, they could use the
passwords to access the device. Cisco password encryption service should be enabled.The Cisco password en-
cryption service can be started with the following Cisco global command: service password-encryption.
Even though these passwords can be easily decrypted with tools available on the Internet, they are still more
secure than clear-text passwords. In addition, the encryption prevents an unauthorized person from looking over
an administrators shoulder and reading the passwords in clear-text.
Summary
All of the potential vulnerabilities listed in this paper can be real threats to Cisco routers.An awareness of these
threats will be instrumental in securing your Cisco routers.
Again, this was not intended to be an exhaustive listing of all services enabled on Cisco routers that could cre-
ate vulnerabilities, nor of all best practices for configuring Cisco routers.The intent of this paper has been for it
to be a vehicle for discussion regarding the security of those routers.
Learn More
Learn more about how you can improve productivity, enhance efficiency, and sharpen your competitive edge.
Check out the following Global Knowledge courses:
CCNA Boot Camp v2.0
ISCW – Implementing Secure Converged Wide Area Networks
IINS – Implementing Cisco IOS Unified Communications
CCDA Boot Camp
For more information or to register, visit www.globalknowledge.com or call 1-800-COURSES to speak with a
sales representative.
Our courses and enhanced, hands-on labs offer practical skills and tips that you can immediately put to use. Our
expert instructors draw upon their experiences to help you understand key concepts and how to apply them to
your specific work situation. Choose from our more than 700 courses, delivered through Classrooms, e-Learning,
and On-site sessions, to meet your IT and management training needs.
About the Author
Carol Kavalla’s background includes teaching at Rockland Community College in New York, managing networks
and being a consultant for the NYS small business development center. For the last eight and a half years Carol
has taught for Global Knowledge and is certified to teach nine Cisco Courses: ICND1, ICND2, CCDA, BSCI,
BCMSN,TCN, ICMI, BGP and ARCH. She also has a consulting firm in Charleston, South Carolina where she
works with small companies (100-200 nodes) installing, configuring routers and switches, and troubleshooting
network problems.

References
Akin,Thomas. Cisco Router Device Router Security Report.
Akin,Thomas. Hardening Cisco Routers. O’Reilly Media, Inc. Sebastopol, CA. 2002.
Akin,Thomas. Implementing Security Wide Area Networks.

All about routers

More Related Content

What's hot

Similar to All about routers

Recently uploaded

All about routers