I wrote a guidelines document at work this week pulling together many different commands for Cisco routers, switches etc that our IT group should be doing to better secure things. Granted we already do most of these but I wanted one document to get everyone on the same page and help any newer staff. This is the first section for commands to apply to all router Interfaces. I cover this in the upcoming In the Trenches show in the Cisco Corner. Next time we move into commands for the global config mode.
- no ip unreachable – ICMP unreachable replies are sent whenever a host attempts to send a packet to a destination that doesn’t exist or isn’t supported. Disabling unreachables making network mapping harder.
- no ip directed broadcast – This prevents Smurf attacks which is when a ping to the network address causes all hosts to send replies to the source of the ping.
- no ip proxy-arp – Proxy Address Resolution Protocol (ARP) assists hosts that have no default router or gateway configured get to remote destinations. The router answers ARP requests on behalf of the remote destination so clients send to the router and transparently are relayed to the far end.
- no ip redirects – ICMP redirects allow systems to change the way packets are routed through a network.
- no cdp enable – CDP is the Cisco Discovery Protocol that provides information on remote interfaces connected to each Cisco router. CDP should be disabled on all Internet facing Interfaces.