1 - 6 

CCNP: Implementing Secure Converged Wide-area Networks v5.0 - Lab 5-3 

Copyright 

© 2007, Cisco Systems, Inc 

Lab 5.3 Disabling Unneeded Services 

Learning Objectives 

•  Identify and disable unneeded and insecure services on a router 

•  Enable TCP keepalives 

Topology Diagram 

 

Scenario 

In this lab, you will disable unneeded services on a router. SDM one-step 
lockdown or AutoSecure will disable many of the same services. This lab only 
requires one router. 

Step 1: Configure the Physical Interface 

Because this lab uses only one router, you will simulate an active FastEthernet 
connection by activating the interface and applying the no keepalive command 
to initiate an “always up” state, regardless of the existence of a device at the 
remote end. Normally, you would not use the no keepalive command on a 
routed interface, except in special circumstances. In this lab, you will use it only 
for simulation purposes. 

Configure the R1 physical interface using the IP address shown in the topology 
diagram. Use the no keepalive command in interface configuration mode, and 
then use the no shutdown command to activate the interface. Because you 
have disabled keepalives, the interface status displays as link state (Layer 1) 
and line protocols state (Layer 2) “up,” even if it is not connected to an external 
device. 

 
R1(config)# interface fastethernet0/0 
R1(config-if)# ip address 192.168.10.1 255.255.255.0 
R1(config-if)# no keepalive 
R1(config-if)# no shutdown 

Step 2: Ensure Services Are Disabled 

Some services are disabled by default on more recent Cisco IOS releases, so 
you do not necessarily have to disable them. However, it is helpful to know the 
commands in case they are enabled and affect security.  These commands are 
especially useful if you have older versions of the IOS that you are using.  

The no ip finger command replaces the no service finger command. Both 
disable the finger service, which allows remote users or systems to identify 
users connected to the local router’s terminal lines or who have active running 
processes. 

 
R1(config)# no ip finger 

How could the enabling of the finger service pose a security risk? 

 

 

 

The no service udp-small-servers and no service tcp-small-servers 
commands disable UDP and TCP small servers, such as echo and discard. The 
small servers are not needed in most environments. 

 
R1(config)# no service udp-small-servers 
R1(config)# no service tcp-small-servers 

The TCP and UDP small servers are enabled by default on Cisco IOS Release 
11.2 and earlier. They are disabled by default on Cisco IOS Release 11.3 and 
later. 

It is recommended that you do not enable these services, unless it is absolutely 
necessary. These services could be exploited indirectly to gain information 
about the target system, or exploited directly with a fraggle attack, which uses 
UDP echo.

1

 Also, if a sender transmits a volume of fake requests for UDP 

diagnostic services on the router, the requests could consume all CPU 
resources. 

Step 3: Manage Router Access  

Name two popular TCP protocols that network administrators use to manage to 
network devices. 

 

                                            
 

1

 http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080149ad6.shtml#topic5 

2 - 6 

CCNP: Implementing Secure Converged Wide-area Networks v5.0 - Lab 5-3 

Copyright 

© 2007, Cisco Systems, Inc 

 

Recall that such management applications as telnet and SSH connect to the vty 
port on a router. A Cisco router has five vtys configured by default, numbered 0 
through 4, to which users connect to access the command-line interface. When 
one vty is in use, the next vty port is used. If all vty ports are being used, other 
users cannot connect to the device in this way. 

Describe how individuals with malicious intent could exploit vty port 
functionality. 

 

 

 

Describe at least two ways to prevent these type of attacks from occurring. 

 

 

 

Enabling TCP keep alives causes the router to generate periodic keep alive 
messages, letting it detect and drop broken Telnet connections.  This frees up 
hung telnet sessions.  This functionality also has the additional benefit of 
making the router more secure by preventing a hacker from exploiting a hung 
telnet session.

  

To enable TCP keepalive packets on idle connections, use the 

service tcp-keepalives-in and service tcp-keepalives-out commands in 
global configuration mode. 

 
R1(config)# service tcp-keepalives-in 
R1(config)# service tcp-keepalives-out 

Step 4: Disable CDP 

Cisco Discovery Protocol (CDP) is a great troubleshooting tool, especially on 
poorly documented networks. However, it can also leave your network 
susceptible to reconnaissance attacks. 

CDP is used for some network management functions, but is dangerous 
because it allows any system on a directly connected segment to learn that the 
router is a Cisco device, and to determine the model number and the Cisco IOS 
software version being run. This reconnaissance information can be used to 
design attacks against the router. 

3 - 6 

CCNP: Implementing Secure Converged Wide-area Networks v5.0 - Lab 5-3 

Copyright 

© 2007, Cisco Systems, Inc 

To disable the CDP service globally, use the no cdp run command in global 
configuration mode. To disable CDP on a per-interface basis, issue the no cdp 
enable command in interface configuration mode. 

 
R1(config)# no cdp run 

Step 5: Disable Other Unused Services 

Disable the packet assembler/disassembler (PAD) on the router by using the 
no service pad command in global configuration mode. PAD translates 
between packets and character streams in legacy networks. You should not 
need this service in most current IP networks. 

 
R1(config)# no service pad 

The BOOTP service is used in networks that have a centralized Cisco IOS 
software deployment: One router can be used by other routers to load its 
operating system. However, the BOOTP service is seldom used, and it gives a 
hacker an opportunity to steal a Cisco IOS image. Therefore, in most situations, 
you should disable it using the following command: 

 
R1(config)# no ip bootp server 

The most recent Cisco IOS software releases issue the Hypertext Transfer 
Protocol (HTTP) to support remote configuration and monitoring. In general, 
HTTP access is equivalent to interactive access to the router. The 
authentication protocol used for HTTP is equivalent to sending a clear-text 
password across the network. Unfortunately, there is no effective provision in 
HTTP for challenge-based or one-time passwords. This makes HTTP a 
relatively risky choice for router management across the public Internet. 

If you choose to use HTTP for router management, use the ip http access-
class command to restrict access to IP addresses. You should also use the ip 
http authentication method command to configure authentication. As with 
interactive logins, the best choice for HTTP authentication is to issue a 
TACACS+ or RADIUS server.

2

In the following example, you choose not to use the IOS web interface. Disable 
the Cisco IOS HTTP server with the no ip http server command in global 
configuration mode.  

 
R1(config)# no ip http server 

The IP protocol supports source routing options that allow the sender of an IP 
datagram to control the route that a datagram takes toward its ultimate 
destination, and generally the route that any reply takes. These options are 
rarely used for legitimate purposes in real networks. Some older IP 

                                            
 

2

 http://www.cisco.com/warp/public/707/21.html#http 

4 - 6 

CCNP: Implementing Secure Converged Wide-area Networks v5.0 - Lab 5-3 

Copyright 

© 2007, Cisco Systems, Inc 

implementations do not process source-routed packets properly, and it is 
possible to send them datagrams with source routing options in order to crash 
machines that run these implementations.  The no ip source-route command 
discards packets that contain source routing information. You can disable this if 
a network is not using source-routing information. 

 
R1(config)# no ip source-route 

 Gratuitous Address Resolution Protocols (ARPs) are unsolicited ARP requests 
and replies that can be generated for several reasons, such as when detecting 
IP address conflicts or updating ARP tables after an address change.  However, 
attackers can use these packets to spoof a valid network device; for example, 
an attacker could send out a packet that claims to be the default router. If you 
choose to do so, you can disable Gratuitous ARP with the global configuration 
command no ip gratuitous-arps. 

 
R1(config)# no ip gratuitous-arps 

Step 6: Disabling Unneeded Interface Services 

Some commands are used on a per-interface basis to mitigate certain types of 
hacker attacks or reconnaissance. Issue the following commands to the R1 
FastEthernet0/0 interface. 

The no ip redirects command disables IP redirects so that the router does not 
send out ICMP redirect messages. These messages occur when a router 
routes a packet out the interface that it came in on. The contents of the 
message tells the packet sender to send it directly to where the router would 
have sent it.  

 
R1(config)# interface fastethernet0/0 
R1(config-if)# no ip redirects 

The no ip proxy-arp command disables proxy ARPs from the router, which 
means that a router can respond to an ARP request for an address on a remote 
subnet (with its own MAC address) and take responsibility for the packets 
getting to their destination. 

 
R1(config-if)# no ip proxy-arp 

The no ip unreachables command prevents the router from sending Internet 
Control Message Protocol (ICMP) unreachable messages when it has not 
learned a route to a destination. Normally, these are helpful for troubleshooting, 
but they can also be involved in reconnaissance or DoS attacks. 

 
R1(config-if)# no ip unreachables 

Similarly, directed broadcasts can be used in reconnaissance and DoS attacks. 
You can prevent this by using the no ip directed-broadcast command. 
Although directed broadcasts are disabled by default in recent Cisco IOS 

5 - 6 

CCNP: Implementing Secure Converged Wide-area Networks v5.0 - Lab 5-3 

Copyright 

© 2007, Cisco Systems, Inc 

releases, this command is included in the lab because it is a significant security 
point. This command makes the router discard packets with a destination 
address that is the broadcast address for a specific network. This packet can be 
used in a DoS attack. If there is a hacker located at 192.168.1.1 who wants to 
attack a host at 192.168.2.2, the hacker can ping 192.168.3.255, which is 
sourced from 192.168.2.2. Every host in the 192.168.3.0 /24 subnet will 
respond to that ICMP echo request and direct the response to the spoofed 
source. In the given case, the spoofed source is the victim of the attack. 

 
R1(config-if)# no ip directed-broadcast 

Unnecessary ICMP messages can be sent in response to ICMP mask request 
messages. Use the no ip mask-reply command to disable ICMP mask reply 
messages. 

 
R1(config-if)# no ip mask-reply 

Maintenance Operation Protocol (MOP) is an old DECnet protocol that is not 
needed on most current IP networks. To disable it, issue the no mop enable 
command. This is enabled by default on Ethernet interfaces only. 

 
R1(config-if)# no mop enabled 

Final Configuration 

 
R1#show run 
service tcp-keepalives-in 
service tcp-keepalives-out 
! 
hostname R1 
! 
no ip source-route 
no ip gratuitous-arps 
! 
no ip bootp server 
! 
interface FastEthernet0/0 
 ip address 192.168.10.1 255.255.255.0 
 no ip redirects 
 no ip unreachables 
 no ip proxy-arp 
 no keepalive 
 no mop enabled 
 no shutdown 
! 
no ip http server 
! 
no cdp run 
end 

6 - 6 

CCNP: Implementing Secure Converged Wide-area Networks v5.0 - Lab 5-3 

Copyright 

© 2007, Cisco Systems, Inc