This should not be a surprise to other network administrators out there, but the Cisco IOS network device operating system is *not* secure by default. You need to make sure to take extra steps to lock your device down for production use.
There are plenty of good security guides on the web for Cisco IOS security configuration, including quite a few directly from Cisco. I will not try to create a guide here, but here are a few security-relevant settings that were on my mind recently.
- Proxy Arp is enabled on all interfaces by default. This should be disabled.
- no ip proxy-arp
- Source Routing is enabled by default. This should be disabled.
- no ip source-route
- CDP is enabled by default. This should be disabled globally (no cdp run) and on each interface (no cdp enable).
- no cdp run
- no cdp enable
- Cisco Guide to Harden Cisco IOS Devices (cisco.com) – includes the above items and *many* others. Definitely a worthwhile read for the security-conscious Cisco networking professional.