安全IE备考之- CISCO Devices Security

!

DHCPservices can be disabled if DHCPrelay services are not required. Issuethe no service dhcp command inglobal configuration mode. 如果不需要DHCP，可以禁止DHCP服务。 !

no ip dhcp !

Issuethe no mop enabled command ininterface configuration mode in order todisable the MaintenanceOperation Protocol (MOP) service. 在端口配置模式中使用no mop enabled命令来禁止MOP服务。 !

no mop enabled !

Issue the no ip domain?lookup global configuration command in order to disable Domain Name System (DNS) resolution services. 使用no ip domain-lookup全局配置命令禁止DNS解析服务。 !

no ip domain-lookup !

Issuethe no service pad command inglobal configuration mode in order todisable PacketAssembler/Disassembler (PAD) service, which is used forX.25 networks.

使用no service pad全局命令，禁用用于X.25的PAD服务。 !

no service pad

!

Issue no ip domain-lookup configuration command in order to disable Domain Name System resolution services.

使用no ip domain-lookup配置命令禁用DNS服务。 !

no ip domain-lookup !

Issue no service tcp-small-servers no service udp-small-servers global configuration command to disable small services.

使用no service tcp-small-servers no service udp-small-servers全局配置命令关闭一些小服务。 !

no service tcp-small-servers no service udp-small-servers !

HTTPserver can be disabled with theno ip http server command in globalconfiguration mode, and Secure HTTP(HTTPS) server can be disabled withthe no ip http secure?server globalconfiguration command.

HTTP服务可以用no ip http server全局命令，安全HTTP（HTTPS）服务可以用no ip http secure-server全局配置命令禁用。 !

no ip http server no ip http secure-server !

UnlessCisco IOS devices retrieveconfigurations from the network duringstartup,

the no service configglobal configuration command must beused. This prevents the Cisco IOSdevice from attempting to locate aconfiguration file . the networkusing TFTP.

如果Cisco设备在启动的时候不是从网络中得到配置文件，no service config命令必须使用。这个可以阻止Cisco设备试图从网络中得到配置文件。 !

no service config !

CiscoDiscovery Protocol (CDP) is anetwork protocol that is used in order todiscover other CDP enableddevices for neighbor adjacency and networktopology. CDP can be used byNetwork Management Systems (NMS) or duringtroubleshooting. CDP must bedisabled . all interfaces that areconnected to untrusted networks. Thisis accomplished with the no cdpenable interface command. Alternatively,CDP can be disabled globallywith the no cdp run global configurationcommand. Note that CDP can beused by a malicious user forreconnaissance and network mapping. CDP是一个用于发现网络内邻居的协议，CDP可以用于网络管理系统或者在排错的时候使用。如果设备连接着一个不信任的网络，CDP必须关闭。这可以在端口上使用no cdp enable实现或者使用全局命令no cdp run实现。小心CDP可以被不善意的用户用于发现网络拓扑。 !

no cdp run !

LinkLayer Discovery Protocol (LLDP)is an IEEE protocol that is defined in802.1AB. LLDP is similar to CDP.In order to disable this feature,issue the no lldp transmit and no lldpreceive interface configurationcommands. Issue the no lldp run globalconfiguration command in orderto disable LLDP globally. LLDP是一个IEEE协议，在802.1AB中定义。LLDP和CDP类似。在端口上使用no lldp transmit或no lldp receive命令禁用这个功能，或者no lldp run全局命令关闭。 !

no lldp run !

Other security options

Ensure that the device is configured to not send ICMP redirect messages. 确保设备不发送ICMP重定向消息。 !

no ip redirect !

Ensure that the device is configured to not send ICMP unreachable messages. 确保设备不发送ICMP不可达消息。 !

no ip unreachable !

Ensure that the proxy ARP service is not enabled . any interface. 确保设备的每个端口上proxy ARP服务都没有打开。 !

no ip proxy-arp !

Drop all packets with IP options set. 丢弃任何设置了IP选项的包。 !

ip options drop !

Ensure that the device is not forwarding IP packets with the source routing option in the header.