CCIE Security V4 Technology Labs Section 1:

System Hardening and Availability

Disabling Unnecessary Services
Last updated: May 3, 2013
Task
Load the configuration files for this task.
On R1, disable CDP on all interfaces.
Ensure that R1 cannot be accessed via a web page.
Disable the ability for R1 to respond to a mask reply on interface G0/0.
On R1, disable IP unreachables.
On R2, disable CDP on the interface facing R3.
Disable IP source routing on R2.
Explanation and Verification
Cisco Discovery Protocol (CDP) is primarily used to obtain protocol addresses of neighboring
devices and discover the platforms of those devices. CDP can also be used to show information
about the interfaces your router uses, so it is a target for attackers who want to gain information
about your network and its resources. CDP is media and protocol independent and runs on almost
all Cisco-manufactured equipment. It is a useful protocol, but the security implications are
significant. To disable CDP features, you have two options: the interface level and the global level.
You can use the no cdp enable interface command or the no cdp run global command.
The Cisco IOS also has the ability to enable an HTTP service, which allows configuration and
monitoring of the router using any web browser. You can configure the HTTP service to listen on a
non-standard port using ip http port number . You can direct the method of authentication using
the ip http authentication {aaa | enable | local | tacacs} command, but this does not
prevent access to the service. To control access to the HTTP server, either use the
ip http access-class {access-list-number | name} command or disable the service
globally. The HTTP server can be disabled with the no ip http server command in global
configuration mode, and a Secure HTTP (HTTPS) server can be disabled with the
no ip http secure-server global configuration command.
Additionally, as a security best practice, any unused services should be disabled. Although this
task specifies only a few of these services, it is still best to understand what the services are.
TCP and UDP small services should be disabled. These services include:
echo (port number 7)
discard (port number 9)

daytime (port number 13)

chargen (port number 19)
Although abuse of the small services can be avoided or made less dangerous by anti-spoofing
access lists, the services must be disabled on any device accessible within the network. The small
services are disabled by default in Cisco IOS Software Releases 12.0 and later. In earlier software,
the no service tcp-small-servers and no service udp-small-servers global configuration
commands can be issued to disable them.
In addition to the TCP and UDP small services, the following considerations should be made:
IP Finger: Issue the no ip finger global configuration command to disable Finger service. Cisco
IOS software releases later than 12.1(5) and 12.1(5)T disable this service by default.
BootP: Issue the no ip bootp server global configuration command to disable Bootstrap
Protocol (BOOTP).
In Cisco IOS Software Release 12.2(8)T and later, issue the ip dhcp bootp ignore
command in global configuration mode to disable BOOTP. This leaves Dynamic Host
Configuration Protocol (DHCP) services enabled.
DHCP: DHCP services can be disabled if DHCP relay services are not required. Issue the
no service dhcp command in global configuration mode.
MOP: Issue the no mop enabled command in interface configuration mode to disable the
Maintenance Operation Protocol (MOP) service.
DNS Resolution: Issue the no ip domain-lookup global configuration command to disable
Domain Name System (DNS) resolution services.
PAD: Issue the no service pad command in global configuration mode to disable Packet
Assembler/Disassembler (PAD) service, which is used for X.25 networks.
TFTP Config: Unless Cisco IOS devices retrieve configurations from the network during startup, the
no service config global configuration command must be used. This prevents the Cisco IOS
device from attempting to locate a configuration file on the network using TFTP.
LLDP: Link Layer Discovery Protocol (LLDP) is an IEEE protocol that is defined in 802.1AB. LLDP is
similar to CDP. However, this protocol allows interoperability between other devices that do not
support CDP. LLDP must be treated in the same manner as CDP and disabled on all interfaces that
connect to untrusted networks. To accomplish this, issue the no lldp transmit and
no lldp receive interface configuration commands. Issue the no lldp run global configuration
command to disable LLDP globally. LLDP can also be used by a malicious user for reconnaissance
and network mapping.
To begin our configuration, disable CDP as directed on R1
R1:
R1#
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#no cdp run
R1(config)#
R1(config)#end
R1#sh cdp
Jan 16 21:27:26.745: %SYS-5-CONFIG_I: Configured from console by console
% CDP is not enabled
R1#
R1(config)#no ip http server
R1(config)#
Additionally, ensure that R1 is not running the HTTP service. First look at the open ports.
R1#sh control-plane host open-ports
Active internet connections (servers and established)
Prot Local Address Foreign Address Ser
vice State
tcp *:23 *:0 Te
lnet LISTEN
tcp *:80 *:0 HTTP
CORE LISTEN
tcp *:80 *:0 HTTP
CORE LISTEN
As seen in the output, the HTTP server is enabled. Disable the HTTP server with the
no ip http server command.
R1#
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#no ip http server
R1(config)#end
R1#
Now verify that the service is disabled
```
R1#sh control-plane host open-ports
Active internet connections (servers and established)
Prot Local Address Foreign Address Ser
vice State
tcp *:23 *:0 Te
lnet LISTEN
R1#
Disable R1 from responding to mask replies.
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#int g0/0
R1(config-if)#no ip mask-reply
R1(config-if)#
On R1, disable IP unreachables.
R1(config-if)#
R1(config-if)#no ip unreachables
R1(config-if)#
Now go to R2 and disable CDP on the interface facing R3. As you can see below, we first verify that
CDP is enabled; it is, because we can see SW2. This is the directly connected device in our layer 2
path to R3, and that is why we don't see R3 here.
R2>en
R2#sh cdp neigh
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater
Device ID Local Intrfce Holdtme Capability Platform Port ID
SW1 Gig 0/0 135 R S I WS-C3560- Fas 0/2
R2#
R2#
R2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#int g0/0
R2(config-if)#no cdp enable
R2(config-if)#end
R2#
R2#
R2#
Jan 17 18:40:05.668: %SYS-5-CONFIG_I: Configured from console by consolesh cdp
R2#sh cdp
Global CDP information:
Sending CDP packets every 60 seconds
Sending a holdtime value of 180 seconds
Sending CDPv2 advertisements is enabled
R2#
R2#
R2#
Finally, disable ip source-routing on the G0/0 interface of R2.
R2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#no ip source-route
R2(config)#