Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
54 Cards in this Set
- Front
- Back
|
Default BOOTP server configuration
|
Enabled
Recommended: Disable |
|
|
Default CDP configuration
|
Enabled
Recommended: Disable if not required |
|
|
Default Configuration Auto-Loading
|
Disabled
|
|
|
Default FTP Server configuration
|
Disabled
|
|
|
Default TFTP Server configuration
|
Disabled
|
|
|
Default NTP server configuration
|
Disabled
|
|
|
Default PAD (Packet Assembler / Disassembler) service configuration
|
Enabled
Used by X.25 PAD commands Recommended: Disable if not required |
|
|
Default TCP and UDP minor services (small-servers) configuration
|
Enabled pre 11.3
Disabled 11.3+ Recommended: Disable |
|
|
Default Maintenance Operation Service (MOP) configuration
|
Enabled
Recommended: Disable |
|
|
Default SNMP configuration
|
v1 Enabled
Recommended: Disable or enable SNMPv3 |
|
|
Default HTTP Configuration and Monitoring configuration
|
Depends on the device
|
|
|
Default DNS client service configuration
|
Enabled
by default, cisco devices broadcast to 255.255.255.255 to resolve names Recommended: Disable |
|
|
Default ICMP Redirects setting
|
Enabled
Used when router has to send a packet out the same interface it was received on. Recommended: Disable |
|
|
Default IP Source Routing setting
|
Enabled
Recommended: Disable |
|
|
Default Finger service configuration (port 79)
|
Enabled
Recommended: Disable |
|
|
Default ICMP Unreachable Notifications setting
|
Enabled
Recommended: Disable on untrusted interfaces |
|
|
Default ICMP Mask Reply setting
|
Enabled
Recommended: Disable on untrusted interfaces |
|
|
Default IP (Identification Protocol) service configuration
|
Enabled
Recommended: Disable |
|
|
Default TCP Keepalives setting
|
Disabled
Recommended: Enable to prevent certain DoS attacks |
|
|
Default Gratuitous ARP setting
|
Enabled
Recommended: Disable to prevent ARP poisoning attacks |
|
|
Default Proxy ARP configuration
|
Enabled
Recommended: Disable |
|
|
Default IP Directed Broadcast configuration
|
Enabled pre 12.0
Diabled 12.0+ Recommended: Disable to prevent smurf DoS attacks |
|
|
AutoSecure functions
|
- management plane
- forwarding plane - firewall - login - NTP - SSH |
|
|
AutoSecure Management Plane services
|
PAD, UDP/TCP small-servers, password encryption, TCP keepalives, CDP, BOOTP, HTTP, source routing, gratuitous ARP, proxy ARP, ICMP, directed broadcasts, MOP, banner, password security, failed login attempts, SSH access
|
|
|
AutoSecure Forwarding Plane services
|
- CEF
- ACLs |
|
|
AutoSecure Firewall services
|
- IOS firewall
|
|
|
AutoSecure Login services
|
- password configuration
- settings for failed login attempts |
|
|
AutoSecure NTP services
|
- Authenticated NTP connectivity
|
|
|
AutoSecure SSH services
|
- hostname
- domain name - enabling SSH access |
|
|
Location of pre-AutoSecure configuration snapshot
|
Flash memory, in a file called pre_autosec.cfg
|
|
|
Command: replace running (corrupted) config with pre-AutoSecure snapshot
|
Router# configure replace flash:pre_autosec.cfg
|
|
|
Interactive AutoSecure configuration steps
|
1. Identify outside interfaces
2. Secure the management plane 3. Create a security banner 4. Configure: passwords, AAA, and SSH 5. Secure the interface settings 6. Secure the forwarding plane |
|
|
Command: Disable BOOTP server
|
Router(config)# no ip bootp server
|
|
|
Command: Disable CDP
|
Router(config)# no cdp run
|
|
|
Command: Disable configuration auto-loading
|
Router(config)# no service config
|
|
|
Command: Disable FTP server
|
Router(config)# no ftp-server enable
|
|
|
Command: Disable TFTP server
|
Router(config)# no tftp-server <file-sys:image-name>
|
|
|
Command: Disable NTP
|
Router(config)# no ntp-server <ip address>
|
|
|
Command: Disable PAD service
|
Router(config)# no service pad
|
|
|
Command: Disable small-servers
|
Router(config)# no service tcp-small-servers
Router(config)# no service udp-small-servers |
|
|
Command: Disable MOP
|
Router(config)# no mop enabled
|
|
|
Command: Disable SNMP
|
Router(config)# no snmp-server enable
|
|
|
Command: Disable HTTP and HTTPS
|
Router(config)# no ip http server
Router(config)# no ip http secure-server |
|
|
Command: Disable DNS client service
|
Router(config)# no ip domain-lookup
|
|
|
Command: Disable ICMP Redirects
|
Router(config)# no ip icmp redirect
Router(config-if)# no ip icmp redirects |
|
|
Command: Disable IP Source Routing
|
Router(config)# no ip source-route
|
|
|
Command: Disable Finger service
|
Router(config)# no service finger
|
|
|
Command: Disable ICMP Unreachable Notifications
|
Router(config-if)# no ip unreachables
|
|
|
Command: Disable ICMP Mask Replies
|
Router(config-if)# no ip mask-reply
|
|
|
Command: Disable IP Directed Broadcasts
|
Router(config-if)# no ip directed-broadcast
|
|
|
Command: Disable IP Identification Service
|
Router(config)# no ip identd
|
|
|
Command: Enable TCP keepalives
|
Router(config)# service tcp-keepalives-in
Router(config)# service tcp-keepalives-out |
|
|
Command: Disable Gratuitous ARP
|
Router(config)# no ip arp gratuitous
|
|
|
Command: Disable Proxy ARP
|
Router(config)# no ip arp proxy
|
