User`s guide
Chapter 1 Cisco SDM Express
Supplementary Help
1-30
Cisco SDM Express 2.4 User’s Guide
OL-7141-05
Disable IP BOOTP Server Service
Cisco SDM Express disables Bootstrap Protocol (BOOTP) service whenever
possible. BOOTP allows both routers and computers to automatically configure
necessary Internet information from a centrally maintained server upon startup,
including downloading Cisco IOS software. As a result, BOOTP can potentially
be used by an attacker to download a copy of a router’s Cisco IOS software.
In addition, the BOOTP service is vulnerable to DoS attacks; therefore it should
be disabled or filtered by a firewall.
The configuration that will be delivered to the router to disable BOOTP is as
follows:
no ip bootp server
You can undo this fix using the Cisco SDM Security Audit feature. To learn how,
see the Security Audit online help in Cisco SDM. For more information, click
Cisco Router and Security Device Manager.
Disable IP Identification Service
Cisco SDM Express disables identification support whenever possible.
Identification support allows you to query a TCP port for identification. This
feature enables an unsecure protocol to report the identity of a client initiating a
TCP connection and a host responding to the connection. With identification
support, you can connect a TCP port on a host, issue a simple text string to request
information, and receive a simple text-string reply.
It is dangerous to allow any system on a directly connected segment to learn that
the router is a Cisco device and to determine the model number and the Cisco IOS
software release being run. This information may be used to design attacks against
the router.
The configuration that will be delivered to the router to disable the IP
identification service is as follows:
no ip identd
You can undo this fix using the Cisco SDM Security Audit feature. To learn how,
see the Security Audit online help in Cisco SDM. For more information, click
Cisco Router and Security Device Manager.