Features to Disable on Your Gateway Routers

Your gateway router is the most vulnerable to attacks, especially if it sits outside of your firewall. Table 13-1 lists a number of services that should be disabled to heighten security. The Level column shows whether the command is part of the global configuration or needs to be applied to specific interfaces.

Table 13-1. Features to disable on the router for heightened security

Command

Level

Resulting action

no ip proxy-arp

Interface

Ignores incoming ARP requests for hosts within the network.

no ip directed-broadcast

Interface

Disables translations of directed broadcasts to physical broadcasts.

no ip unreachables

Interface

Disables ICMP unreachable messages on an interface.

no ip redirects

Interface

Disables redirect messages. A redirect message is generated to another device when a datagram is sent out over the same interface through which it was received. The redirect message tells the sending host that it should have been able to get to the destination without going through the router. Redirects have played a role in a number of attacks, so it’s safest to disable them.

no ip source-route

Global

Causes the router to discard any packet with source-route information. Presumably, we don’t want hosts telling our router how to route the traffic.

no service finger

Global

Disables the finger daemon on the router. Finger has always been a problem source; it lets attackers know who is logged in and provides ...

Get CISCO IOS in a Nutshell now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.