From Perimeter L3 Switch Security Technical Implementation Guide - Cisco
Part of HTTP server is not disabled
The additional services the router is enabled for increases the risk for an attack since the router will listen for these services. In addition, these services provide an unsecured method for an attacker to gain access to the router. Most recent software versions support remote configuration and monitoring using the World Wide Web's HTTP protocol. In general, HTTP access is equivalent to interactive access to the router. The authentication protocol used for HTTP is equivalent to sending a clear-text password across the network, and, unfortunately, there is no effective provision in HTTP for challenge-based or one-time passwords. This makes HTTP a relatively risky choice for use across the public Internet. Any additional services that are enabled increase the risk for an attack since the router will listen for these services. The HTTPS server may be enabled for administrative access.
Verify the command "ip http-server" is not enabled in the configuration (the HTTPS server may be enabled for administrative access). As of 12.4, the http server is disabled by default. However, since many defaults are not shown by IOS, you may not see the command "no ip http-server" in the configuration depending on the release. If the HTTP server is enabled, this is a finding.
Configure the device to disable using HTTP (port 80) for administrative access.
Lavender hyperlinks in small type off to the right (of CSS
class id, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle or
Accept: application/rdf+xml.
Powered by sagemincer