An overview of some important Cisco IOS configuration statements.
- session-timeout versus exec-timeout
- session-timeout: This command sets the interval that the Cisco IOS software waits for traffic before closing the connection to a remote computer and returning the terminal to an idle state. The default interval is zero, indicating the device maintains the connection indefinitely.
- exec-timeout: To configure the length of time that an inactive Telnet or SSH session remains open, use the exec-timeout global configuration command.
In short, "session-timeout" is for sessions originated out from this VTY, while "exec-timeout" is for EXEC sessions started when someone logs into this VTY.
- NTP configuration
Once a router's clock is synchronized to an NTP source or configured to serve as a master, it will, in turn, act as an NTP server to any system that requests synchronization. It is important to use authentication and access lists to avoid providing time synchronization service to the entire Internet.
The ntp disable command can be used on a per-interface basis. When applied to an interface, the command keeps the interface from acting as an NTP server, but still allows it to serve as an NTP client. This is the recommended configuration for external interfaces.
For additional security, you can configure your NTP servers and clients to use authentication. Cisco routers support only MD5 authentication for NTP. To enable a router to do NTP authentication:
- Enable NTP authentication with the ntp authenticate command.
- Define an NTP authentication key with the ntp authentication-key command. A unique number identifies each NTP key. This number is the first argument to the ntp authentication-key command.
- Use the ntp trusted-key command to tell the router which keys are valid for authentication. The ntp trusted-key command's only argument is the number of the key defined in the previous step.
WARNING: Configuring NTP authentication does not require all clients to use NTP authentication; it enables clients to use authentication. Your router will still respond to unauthenticated requests, so be sure to use ACLs to limit NTP access.
If your external NTP servers require authentication, you need to configure your router to use authentication when contacting those servers. To do this, perform the same steps listed previously to add an NTP authentication key; then use the ntp server command with the key argument to tell the router what key to use when authenticating with the NTP server, e.g.
ntp server 220.127.116.11 key 11
- bootp service
bootp is enabled by default, and if it is not used, it should be disabled. The service is disabled when the configuration contains the following line:
no ip bootp server
The Cisco Discovery Protocol (CDP) is enabled by default, and it is recommend to disable this service on the router globally. Search for the command
no cdp runwithin the configuration file to see whether CDP has been disabled globally.
CDP can also be disabled on a per-interface basis. Search for the command
no cdp enablein the configuration of an interface to see whether CDP was disabled for a particular interface.
- ip classless
The ip classless command is enabled on the Cisco routers by default in version 12.0 and higher. Disable ip classless if your network does not have a subnetted range of IP addresses. If you are subnetting a block of IP addresses allocated to you by the American Registry for Internet Numbers (ARIN), you should ensure that ip classless is enabled. It allows the router to advertise the subnetted addresses to its neighbors.
- DNS lookup
Domain Name System (DNS) lookup is enabled by default on Cisco routers, and if you are not implementing DNS lookup on your network, it is highly advisable to disable this feature globally by using the
no ip domain-lookupcommand.
- finger service
The finger command is enabled by default and should be disabled on network devices. Look for the command
no ip fingerto see whether finger has been disabled.
- Disable HTTP
Cisco devices can be accessed through a built-in web server, and unless you use the web interface to configure your network device, it is recommend to disable the HTTP service on Cisco devices. Look for the command
no ip http serverto see whether the HTTP service has been disabled.
If you want to implement HTTP-based management, it is recommend to implement HTTP authentication and to limit the HTTP connections to the device using ACLs.
- ip mask-reply
By default, the ip mask-reply command is disabled on all Cisco routers. The mask replies respond to Internet Control Message Protocol (ICMP) mask requests by sending out ICMP mask replies, and these mask replies contain important network information. If mask replies are enabled, make sure you disable them on the router by using the
no ip mask-replycommand in interface configuration mode.
- IP-Directed Broadcast
The IP-directed broadcast is another service that is commonly used in Smurf attacks. Smurf attacks send ICMP echo requests from a spoofed source address to a directed broadcast that cause all hosts to respond to the ping echo request, creating a lot of traffic on the network. By default on IOS version 12.0 and higher, ip directed broadcast is disabled, and if you are running any version lower than 12.0, it is imperative that you disable IP directed broadcasts on the router by issuing the command
no ip directed-broadcastin interface configuration mode.
- IP Source Routing
IP source routing allows the sender of an IP packet to control the route that packet will take to reach the destination endpoint. By default, IP source routing is disabled on the routers and should only be enabled if your network needs it. (
no ip source-route)
- IP Unreachable
IP unreachable messages can be used to map out the network topology, and they should be disabled on all interfaces. The sending of IP unreachables can be disabled on all interfaces by issuing the following command in interface configuration mode:
no ip unreachables. Note: IP unreachables should be disabled on all interfaces connected to insecure networks.
- Small Services
Cisco classifies echo, chargen, daytime, and discard as small services and recommends that these services be disabled on the router. On versions 11.3 or higher, the small server service is disabled by default.