Manualshelf

User`s guide

ManualsBrandsCisco ManualsComputer equipmentROUTER-SDM-CD
31323334353637383940
Chapter 1 Cisco SDM Express
Supplementary Help
1-28
Cisco SDM Express 2.4 User’s Guide
OL-7141-05
no service finger
You can undo this fix using the SDM Security Audit feature. To learn
how, For more information, click Cisco Router and Security Device
Manager.
Disable PAD Service
Cisco SDM Express disables all packet assembler/disassembler (PAD)
commands and connections between PAD devices and access servers whenever
possible.
The configuration that will be delivered to the router to disable PAD is as follows:
no service pad
You can undo this fix using the Cisco SDM Security Audit feature. To learn how,
see the Security Audit online help in Cisco SDM. For more information, click
Cisco Router and Security Device Manager.
Disable TCP Small Servers Service
Cisco SDM Express disables small services whenever possible. By default, Cisco
devices running Cisco IOS release 11.3 or earlier offer the “small services”: echo,
chargen, and discard. (Small services are disabled by default in Cisco IOS
software release 12.0 and later.) These services, especially their User Datagram
Protocol (UDP) versions, are infrequently used for legitimate purposes, but they
can be used to launch Denial of Service (DoS) and other attacks that would
otherwise be prevented by packet filtering.
For example, an attacker might send a Domain Name System (DNS) packet,
falsifying the source address to be a DNS server that would otherwise be
unreachable, and falsifying the source port to be the DNS service port (port 53).
If such a packet were sent to the router UDP echo port, the result would be the
router sending a DNS packet to the server in question. No outgoing access list
checks would be applied to this packet because it would be considered to be
locally generated by the router itself.
Although most abuses of the small services can be avoided or made less
dangerous by antispoofing access lists, the services should almost always be
disabled in any router which is part of a firewall or lies in a security-critical part
of the network. Because the services are rarely used, the best policy is usually to
disable them on all routers of any description.