Features to Disable on Your Gateway Routers
Your gateway router is the most vulnerable to attacks, especially if it sits outside of your firewall. Table 13-1 lists a number of services that should be disabled to heighten security. The Level column shows whether the command is part of the global configuration or needs to be applied to specific interfaces.
Table 13-1. Features to disable on the router for heightened security
Command |
Level |
Resulting action |
---|---|---|
|
Interface |
Ignores incoming ARP requests for hosts within the network. |
|
Interface |
Disables translations of directed broadcasts to physical broadcasts. |
|
Interface |
Disables ICMP unreachable messages on an interface. |
|
Interface |
Disables redirect messages. A redirect message is generated to another device when a datagram is sent out over the same interface through which it was received. The redirect message tells the sending host that it should have been able to get to the destination without going through the router. Redirects have played a role in a number of attacks, so it’s safest to disable them. |
|
Global |
Causes the router to discard any packet with source-route information. Presumably, we don’t want hosts telling our router how to route the traffic. |
|
Global |
Disables the finger daemon on the router. Finger has always been a problem source; it lets attackers know who is logged in and provides ... |
Get CISCO IOS in a Nutshell now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.