Vulnerable Router Services
The following services have the potential to be exploited by attackers under
certain conditions. If they are not required on a particular router, ensure that
they are disabled. Remember, however, that many of these services perform
important functions in some networks; they should only be disabled after
considering the potential drawbacks of doing so:
■ BOOTP server—Enabled by default. Disable with the no ip bootp
server command.
■ Cisco Discovery Protocol (CDP)—Enabled by default for most
interface types. Disable on interfaces where not needed with the no
cdp enable command.
■ Configuration auto-loading—Disabled by default.
■ FTP/TFTP servers—Disabled by default.
■ Network Time Protocol (NTP)—Disabled by default, but necessary
for many security features.
■ Packet assembler/disassembler (PAD) Service—Enabled by default.
Disable with the no service pad command.
■ TCP and UDP small servers—For example, Echo, Chargen, Discard,
Daytime. Disabled by default.
■ Maintenance Operations Protocol (MOP) service—Enabled for
some Ethernet interfaces by default.
■ Simple Network Management Protocol (SNMP)—Disabled by
default, but widely used.
■ HTTP—Enabled by default. Disable with the no ip http server global
command if not needed.
■ DNS—Disabled by default.
■ Internet Control Message Protocol (ICMP) redirects—Enabled by
default. Disable with the no ip redirects command if not needed.
■ IP source routing—Enabled by default. Disable with the no ip
source-route command.
■ Finger service—Disabled by default.
■ ICMP unreachables—Enabled by default. Disable with the no ip
unreachables command if not needed.
■ ICMP mask reply—Disabled by default.
■ TCP keepalives—Disabled by default. Enable with the service
tcp-keepalives command.
■ Proxy ARP—Enabled by default. Disable with the no ip proxy-arp
command if unneeded.
■ IP directed broadcasts—Disabled by default.