Skip to content

Default Parameters

Certains paramètres par défaut des équipements Cisco IOS peuvent créer des risques de sécurité. Certaines fonctionnalités doivent être désactivées ou limitées leurs utilisation en fonction des besoins en sécurité.

Il existe plusieurs pratiques pour garantir la sécurité d'un équipement :

  • Désactiver les services et les interfaces inutiles.
  • Désactiver ou restreindre les services de gestion, tels que le SNMP.
  • Désactiver les sondes et les scans, tels que l'ICMP.
  • Assurer la sécurité de l'accès au terminal.
  • Désactiver les fonctions Gratuitous et Proxy ARPs.
  • Désactiver les IP-directed broadcasts.

Recommandation selon les protocols et services :

Feature Default Recommendation
CDP Enabled Should be disabled globally or on a per-interface basis if it is not required
LLDP Disabled Should be disabled globally or on a per-interface basis if it is not required
Configuration autoloading Disabled Should remain disabled when not in use by the router
FTP server Disabled Should be disabled when it is not required
TFTP server Disabled It should be disabled when it is not required
NTP Disabled It should remain disabled when it is not required
Packet assembler/disaasembler (PAD) service Enabled It should be explicitly disabled when not in use
TCP and UDP minor services Enabled >= verson 11.3 Disable this service explicitly
Maintenance Operation Protocol (MOP) service Enabled It should be explicitly disabled when it is not in use
SNMP Enabled Disable this service when it is not required
HTTP or HTTPS configuration and monitoring Enabled (http) Disable service if it is not required. If this service is required, restrict access to the router HTTP or HTTPS service using access control lists (ACLs)
DNS Enabled Disable when it is not required. If the DNS lookup service is required, ensure that you set the DNS server address explicitly
IP source routing Enabled Disable this service when it is not required
Finger service Enabled Disable this service when it is not required
ICMP redirects Enabled Disable when it is not required
ICMP unreachable notifications Enabled Disable on interfaces to untrusted networks
ICMP mask reply Disabled Disable on interfaces to untrusted networks
IP idendification service Enabled Service should be explicitly disabled
TCP keepalives Disabled Should be enabled globally to manage TCP connections and prevent certain denial of service (DoS) attacks. Service is enabled in Cisco IOS Software releases before Cisco IOS Release 12.0 and is disabled in Cisco IOS Release 12.0 and later. Disable this service when it is not required
Gratuitous ARP (GARP) Enabled Disable grantuitous APRs on each router interface unless this service is needed
Proxy ARP Enabled Disable this service on each interface unless the router is being user as a LAN bridge