The following are some of the samples available under Compliance, Service Exploit Reduction in the Library Manager.

Move your cursor over each sample to view a description of the samples within this category.

Add Anti Spoofing Entries

Need information

Disable Directed Broadcast Service per Specified Interface

This test ensures IP Directed Broadcast is disabled, and if not ,IP Directed Broadcast is disabled.

An IP Directed Broadcast is an IP packet whose destination address is a valid broadcast address for some IP subnet, but which originates from a node that is not itself part of that destination subnet.

If directed broadcast is enabled for an interface, incoming IP packets, whose addresses identify them as directed broadcasts intended for the subnet to which that interface is attached, are exploded as broadcasts on that subnet.  

Since directed broadcasts, and particularly Internet Control Message Protocol (ICMP) directed broadcasts, have been abused by malicious persons, it is advisable that security-conscious users disable the IP Directed Broadcast command on any interface where directed broadcasts are not needed, and use Access Control Lists to limit the number of exploded packets.

Disable ICMP Mask Reply Services per Interfaces

This test ensures ICMP Mask Reply is disabled, and if not, ICMP Mask Reply is disabled.

ICMP Mask Reply allows the Cisco IOS software to respond to Internet Control Message Protocol (ICMP) mask requests by sending ICMP mask reply messages.

Disable ICMP Redirects Services per Interface

This test ensures the ICMP Redirects Services are disabled, and if not, the ICMP Redirects Services are disabled.

An ICMP redirect message can be generated by a router when a packet is received, and transmitted on the same interface. In this situation, the router  forwards the original packet, and sends an ICMP redirect message back to the sender of the original packet.

This behavior allows the sender to bypass the router, and forward future packets directly to the destination or to a router closer to the destination. Previously, if the Hot Standby Router Protocol (HSRP) was configured on an interface, ICMP redirect messages were disabled (by default) for the interface.

With Cisco IOS Release 12.1(3)T, ICMP redirect messages are enabled by default, if HSRP is configured.

Disable IP Unreachable Service per Interface

This test ensures the IP Unreachable Services are disabled, and if not, the IP Unreachable Services are disabled.

IP unreachable messages can be used to map out the network topology. It is advisable to disable the IP Unreachable Services on all interfaces.

Disable MOP on all interfaces

This test ensures an interface does not have a Maintenance Operation Protocol (MOP) enabled, and if it does, it disables it.

Disable Proxy Arp Services per Interface

This test ensures Proxy Arp Services are disabled, and if not, Proxy Arp Services are disabled.

If Proxy Arp Services are enabled, a machine can claim to be another, to intercept packets; an act called spoofing.

Filter RFC 1918 Address Space

This test checks if the defined RFC 1918 Restricted Addresses are denied, and if not, the device is flagged as non-compliant.

Filter RFC 3330 Special Use Address

This test checks if the defined RFC 3330 Special Use Address is denied, and if not, the device is flagged as non-compliant.

Loopback Interface

This test ensures there is at least one loopback interface. If no loopback interface is found, it is flagged as non-compliant, and the remedy pushes a loopback interface specified by the user.