The vro command auto secure is easy to use, and can disable some insecure services and enable some secure services. Here is a summary of this command. (Note: ios 12.3 (1) or later versions are supported)
Summary:
1. Disable some global insecure services as follows:
Finger PAD Small Servers Bootp HTTP service Identification Service CDP NTP Source Routing |
2. enable some global security services as follows:
Password-encryption service Tuning of scheduler interval/allocation TCP synwait-time TCP-keepalives-in and tcp-kepalives-out SPD configuration No ip unreachables for null 0 |
3. Some insecure services that disable the interface are as follows:
ICMP Proxy-Arp Directed Broadcast Disables MOP service Disables icmp unreachables Disables icmp mask reply messages. |
4. Provide log security as follows:
Enables sequence numbers & timestamp Provides a console log Sets log buffered size Provides an interactive dialogue to configure the logging server ip address. |
5. Protect the Access Router as follows:
Checks for a banner and provides facility to add text to automatically configure: Login and password Transport input & output Exec-timeout Local AAA SSH timeout and ssh authentication-retries to minimum number Enable only SSH and SCP for access and file transfer to/from the router
|
6. Protect Forwarding Plane
Enables Cisco Express Forwarding (CEF) or distributed CEF on the router, when available Anti-spoofing Blocks all IANA reserved IP address blocks Blocks private address blocks if customer desires Installs a default route to NULL 0, if a default route is not being used Configures TCP intercept for connection-timeout, if TCP intercept feature is available and the user is interested Starts interactive configuration for CBAC on interfaces facing the Internet, when using a Cisco IOS Firewall image, Enables NetFlow on software forwarding platforms |