Router Security ( Disable unnecessary servers and services ) Lecture 4 Asst. Prof. Dr. Noor Ghazi Objectives - Learn the main steps for router security through disabling unnecessary services. - Understand some router’s services and how to disable them. Lecture 4 1 Disable unnecessary services Network devices like routers and switches come out of the box with a list of services turned on that are considered appropriate for most network environments Since not all networks have the same requirements, some of these services may not be needed and in consequence can be disabled Disabling these unnecessary services has two benefits : 1 It helps preserve system resources 2 Eliminates the potential of security exploits on the disabled services Because it may be used as a back door for the attacker to gain access to the device Lecture 4 2 Router’s Servers and services A router has many services enabled by default Many of these servers are unnecessary and may be used by an attacker for information gathering or exploitation SNMP, DNS, TFTP all need to carefully managed to ensure the network devices are operating in a secure fashion All unnecessary servers should be disabled in the router configuration Lecture 4 3 Summary of some routers IP servers and services Lecture 4 4 Disable unnecessary servers: Disable Finger Server The Finger service is used to query a host about its logged in users Cisco IOS supports a Finger service, which is enabled by default The Finger service can be used to gather information about a router that could be used for further attacks The no ip finger , global configuration command disables acceptance of finger protocol requests Lecture 4 5 Disable unnecessary servers: Disable HTTP Server The Cisco IOS software supports a simple Hypertext Transfer Protocol (HTTP) on routers with 11 2 and later releases The HTTP server allows remote administration of the router The HTTP service can make the router susceptible attacks IT can be disabled using , no ip http server global configuration command Lecture 4 6 Disable unnecessary servers: Disable BOOTP Server BOOTP is a user datagram protocol (UDP) that can be used by Cisco routers to access copies of Cisco IOS Software on another Cisco router running the Bootp service BOOTP is a protocol used by some hosts to load their operating system over the network In Practice, BOOTP is rarely used, and offers an attacker the ability to download a copy of a routers Cisco IOS software BOOTP is enabled by default In the below scenario, one Cisco router acts as a Cisco IOS Software server that can download the software to other Cisco routers acting as Bootp clients To disable BOOTP service, use the no ip bootp server , global configuration command Lecture 4 7 Lecture 4 8 Disable unnecessary servers: Disable TFTP Server The Trivial File Transfer Protocol (TFTP) is a protocol supported in Cisco IOS software It is used primarily to load Cisco IOS software images and configuration files over the network TFTP is insecure, as it does not support authentication methods and transfer files in cleartext , and should only be used on a network that is considered wholly trusted TFTP is disabled by default It can be disabled by the no tftp - server , global configuration command if it has been previously enabled Lecture 4 9 Lecture 4 10 Disable unneeded services: Disable DNS Service Cisco IOS software supports looking up host names using the Domain Name Service (DNS) DNS is used to translate host names to IP addresses To turn off DNS name queries using the no ip domain - lookup global configuration command If you want a router to send DNS name queries to a DNS server for resolution of a name to an IP address, specify the IP address of the trusted DNS server with the ip name - server global configuration command Lecture 4 11 Lecture 4 12