Cisco Device Hardening

Disable Topology Discovery Tools

Tools such as Cisco Discovery Protocol and Link Layer Discovery Protocol can provide unnecessary information to devices outside of your control. Disable the services on these interfaces with the commands no cdp enable, no lldp transmit, and no lldp receive

Disable TCP and UDP Small Services

The commands service tcp-keepalive-in and tcp-keepalive-out ensure that devices send TCP keepalives for inbound and outbound TCP sessions. This will ensure devices on the remote end of the link is still accessible and that half open or orphaned connections are removed from the device.

Disable IP Redirect Services

An ICMP redirect is used to inform a device of a better path to a destination network. An IOS device will send a ICMP redirect if it detects network traffic hair pinning. This can be disabled with the command no ip redirects

Disable proxy Address Resolution Protocol (ARP)

Proxy ARP allows a router to answer ARP requests that are intended for a different router.

The router fakes its identity and sends out an ARP response for the router that it is responsible for that network.

Disable proxy ARP on the interface with the command no ip proxy-arp

Disable service configuration

Cisco devices support automatic configuration from remote devices through TFTP and other methods. This can be disabled with the command no service config

Disable the Maintenance Operation Protocol (MOP) Service

The MOP service is not needed and should be disabled globally with the command no mop enabled

Disable the packet assembler/disassembler (PAD) Service

The PAD service is used for X.25 and is not required. It can be disabled with the command no service pad



, ,




Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.