1
00:00:01,140 --> 00:00:07,640
It's good security practice to disable an used services on your network devices.

2
00:00:07,650 --> 00:00:14,430
In other words if you have services enabled on network devices that you are not using That's a potential

3
00:00:14,430 --> 00:00:23,370
vulnerability that hackers can leverage Cisco ship routers and switches with a default set of services

4
00:00:23,370 --> 00:00:28,710
enabled which are considered to be appropriate for most network deployments.

5
00:00:28,710 --> 00:00:31,800
However that may be different in some of your networks.

6
00:00:31,950 --> 00:00:36,320
So you should disable unnecessary services as an example.

7
00:00:36,370 --> 00:00:42,690
So discovery protocol those PDP is enabled by default on most Cisco devices.

8
00:00:42,690 --> 00:00:50,280
So unless you require that disable it especially on internet facing interfaces by disabling unneeded

9
00:00:50,280 --> 00:00:57,540
services you preserve resources on your network devices as well as reduce the attack area of your network

10
00:00:57,570 --> 00:00:58,680
devices.

11
00:00:58,680 --> 00:01:02,980
In other words there are fewer opportunities for hackers to hack.

12
00:01:03,070 --> 00:01:08,470
In this example I've got two Cisco routers running with ingenius three which in turn are connected to

13
00:01:08,470 --> 00:01:15,650
a hub which in turn is connected to a cloud which connects and 3 to my physical network.

14
00:01:15,700 --> 00:01:23,610
So let's look at the services on Route 1 and route to see what we can learn about the network wrote

15
00:01:23,710 --> 00:01:35,730
of one show control plane host open ports will show us which ports are active on the router.

16
00:01:36,060 --> 00:01:42,340
So in other words in this example the router is listening for telnet sessions to TZP port 23 that's

17
00:01:42,360 --> 00:01:53,950
a default config on Rotto one on router to have enabled various services show control plane host open

18
00:01:53,950 --> 00:01:59,290
ports shows us that those routers listening on TZP port 23.

19
00:01:59,410 --> 00:02:09,100
In other words telnet DNS has been enabled so its listing on TZP and UDP port 53 HTP has been enabled

20
00:02:09,610 --> 00:02:12,960
and so has the DHP service.

21
00:02:13,090 --> 00:02:21,420
If those services are not required you should disable them show SCDP neighbors shows us CTP information

22
00:02:22,000 --> 00:02:25,020
so we can see as an example out of foster Ethernet.

23
00:02:25,040 --> 00:02:35,270
0 1 there's a Cisco unified communications manager running within VM where there's a 30 750 switch there

24
00:02:35,280 --> 00:02:41,470
are two IP phones as well as a router rather one connected.

25
00:02:41,560 --> 00:02:45,320
Ethan 00 as well as rockety.

26
00:02:45,660 --> 00:02:51,760
Now because of non Cisco devices used in the topology the router may actually be seeing itself with

27
00:02:51,770 --> 00:02:59,490
CTP messages afforded by other switches in the topology Router one is available on Foster Ethan at 00

28
00:03:01,140 --> 00:03:07,750
So firstly we could launch attacks on this router using various ports that are open here including port

29
00:03:07,750 --> 00:03:08,880
80.

30
00:03:08,990 --> 00:03:16,820
So as an example or telnet to router to on the side the address on port 80

31
00:03:19,700 --> 00:03:27,110
and notice the connection has been opened I'll press control-C and you can see that the Cisco IOS server

32
00:03:27,470 --> 00:03:29,960
has now closed the connection.

33
00:03:29,960 --> 00:03:38,560
But the point is I could launch an attack on the router on port 80 port 23 is also open.

34
00:03:38,620 --> 00:03:40,550
In other words telnet.

35
00:03:41,080 --> 00:03:43,390
So is port 53.

36
00:03:43,440 --> 00:03:46,110
Notice the connection is open but the has been closed.

37
00:03:46,950 --> 00:03:55,170
I've also enabled a another port on the router so I can use the command telnet to the IP address question

38
00:03:55,170 --> 00:04:04,230
mark and I can see a list of various port numbers including the character generation port 19.

39
00:04:04,290 --> 00:04:09,400
This is not something you want to enable on a router.

40
00:04:09,550 --> 00:04:18,740
What it's doing here is getting the router to generate characters which uses up the CPQ of the router.

41
00:04:18,990 --> 00:04:20,990
And he had so not showing a lot of use.

42
00:04:20,990 --> 00:04:29,520
But the point is by doing this we try to use up C-p cycles and that's not something you typically want

43
00:04:29,520 --> 00:04:31,140
to enable on a router.

44
00:04:31,440 --> 00:04:41,180
So I could as an example open up multiple sessions to that router and looed at shows session shows me

45
00:04:41,180 --> 00:04:50,260
that I have three sessions open to the Rodda And on this round so we can look at the open ports and

46
00:04:50,260 --> 00:04:56,830
notice port 19 is established three times on the serrata there are three character generation sessions

47
00:04:56,860 --> 00:04:59,170
open to the Rodda at the moment.

48
00:04:59,530 --> 00:05:02,830
If telnet was enabled on the router

49
00:05:05,980 --> 00:05:11,940
this router could telnet to port 23 and log in.

50
00:05:12,110 --> 00:05:18,590
That's actually a lot slower than it was previously show sessions.

51
00:05:18,640 --> 00:05:21,940
Shows me that I'll have four sessions open to the Rodda

52
00:05:24,870 --> 00:05:31,930
in the output we can see a telnet session is listening but we can also see a telnet session established

53
00:05:32,320 --> 00:05:35,830
as well as the charging sessions that are established.

54
00:05:36,010 --> 00:05:42,760
So as an example if I resume session 1 that's the character generation that's taking place on the first

55
00:05:42,820 --> 00:05:44,620
session.

56
00:05:44,620 --> 00:05:50,170
Once again from a security point of view you want to lock down or remove unneeded services.

57
00:05:50,230 --> 00:05:54,430
There's no reason to have these services enabled on a router today.

58
00:05:55,460 --> 00:06:04,020
So no service TCAP small servers and UDP small servers.

59
00:06:04,020 --> 00:06:10,760
We want to disable those sessions a stool establish at the moment.

60
00:06:10,760 --> 00:06:12,730
So what I'll do is disconnect all my sessions

61
00:06:17,540 --> 00:06:25,490
those charging ports have been removed and now if we try and telnet back to the router using the charge

62
00:06:25,490 --> 00:06:28,030
and port that connection is refused.

63
00:06:29,250 --> 00:06:30,590
That's port 19.

64
00:06:30,600 --> 00:06:34,500
Notice it's refused port 80 is still open

65
00:06:38,090 --> 00:06:41,390
using the Cisco Iowas server.

66
00:06:41,390 --> 00:06:49,190
So unless you want an HDP server enabled and generally you do not just do a search for the command to

67
00:06:49,190 --> 00:06:51,080
show you.

68
00:06:51,300 --> 00:06:59,500
So in the running config we've got the HGP server enabled but the secure HDD server is disabled.

69
00:06:59,500 --> 00:07:04,610
In other words HECS is disabled and TDP is enabled.

70
00:07:04,900 --> 00:07:05,770
You don't want that.

71
00:07:05,770 --> 00:07:11,960
Once again HGP is clear text AGP is not secure.

72
00:07:11,960 --> 00:07:13,900
So you typically want to turn it off.

73
00:07:13,910 --> 00:07:18,390
It's recommended that you do not run the PDP service.

74
00:07:18,680 --> 00:07:23,330
You may want to run the secure server or SSL server way cheaper of a

75
00:07:26,940 --> 00:07:32,220
but generally unless there's a requirement you want to turn off the HGP service.

76
00:07:32,220 --> 00:07:35,600
Now why is the Rodda running a DNS service.

77
00:07:35,640 --> 00:07:39,230
There's no reason to do that before I disable that.

78
00:07:39,240 --> 00:07:40,230
Notice the change.

79
00:07:40,230 --> 00:07:46,190
Now when I try and telnet to port 80 the connection is refused.

80
00:07:46,210 --> 00:07:49,320
Whereas previously that connection was opened.

81
00:07:49,420 --> 00:07:58,580
So once again there's no real reason to run a DNS server in production on a router.

82
00:07:58,960 --> 00:08:01,850
You need to have a very good reason for doing that.

83
00:08:01,930 --> 00:08:11,270
It's going to turn off the DNS service that port is now removed and once again unless required disable

84
00:08:12,200 --> 00:08:13,090
DHP.

85
00:08:13,170 --> 00:08:19,040
So to show run you can see ADHD pull was created.

86
00:08:19,510 --> 00:08:23,970
So I'm going to disable that.

87
00:08:24,220 --> 00:08:30,820
And now when we look at the open ports we can see that only telnet is enabled.

88
00:08:30,840 --> 00:08:33,100
Generally you don't want to use telnet.

89
00:08:33,150 --> 00:08:39,990
You should be using S-sh because telnet is insecure and we can see that buddying a why shock capture

90
00:08:42,830 --> 00:08:46,020
Telenet sends packets in clear text which is not good.

91
00:08:47,430 --> 00:08:58,530
May be OK in an internal network but it's recommended that you use S-sh because I can simply capture

92
00:08:58,860 --> 00:09:03,930
your password off the wire.

93
00:09:04,300 --> 00:09:06,470
So the road is asking for the password.

94
00:09:08,580 --> 00:09:15,900
And if we scroll down the pause would see I guess CEO.

95
00:09:16,380 --> 00:09:18,300
And if we just look at that session.

96
00:09:18,570 --> 00:09:24,290
So follow the TZP Stream we'll be able to see the password and make that a bit bigger.

97
00:09:28,600 --> 00:09:35,620
So you can see the mistake I made and then the password actually entered when logging into the Rodda

98
00:09:36,860 --> 00:09:43,580
is the Viti y password and here's the Enable password or secret password on the router.

99
00:09:44,020 --> 00:09:53,740
All shown in clear text so telnet isn't an ideal way to manage networks because of the security risks.

100
00:09:53,830 --> 00:10:01,300
Once again show control hyphen plane host open ports shows you which ports are open on the Rodda also

101
00:10:01,300 --> 00:10:09,190
have a look at show run to see if any services have been enabled that shouldn't be enabled on your router.

102
00:10:09,640 --> 00:10:11,520
So at the moment this looks better.

103
00:10:13,750 --> 00:10:16,180
We're not seeing any strange services enabled.

104
00:10:18,350 --> 00:10:26,040
The command service allows you to see various services that could be enabled on a Rodda TCAP small servers

105
00:10:26,640 --> 00:10:31,430
allowed me to use the character generation on a router.

106
00:10:31,710 --> 00:10:38,910
Make sure that that and this are disabled they are disabled by default these days but just be aware

107
00:10:39,270 --> 00:10:43,250
that someone may have enabled various services on your router.

108
00:10:43,260 --> 00:10:53,880
So again use the show control plane host open ports to check which ports are open on the Rodda or other

109
00:10:53,880 --> 00:10:55,500
network device.