Re: Cisco HSRP Denial of Service Vulnerability [7:3534]

Kevin Wigle Tue, 08 May 2001 11:22:08 -0700
However, Ethernet emulation is becoming quite popular and very price
competitive.

I have clients who have HSRP running on what would normally be called "WAN"
ports but they are ethernet.  The HSRP virtual address is visible to the
world and therefore it is vunerable.

I agree that traditionally HSRP has been used on the inside interfaces so
therefore your vunerability is from the inside where you should have
personnel/physical security in place.

IPSec is cool but involves more cost to deploy an IPSec capable IOS/router
if you're not already using IPSec.  Perhaps this is just another reason to
do so.

Someone also commented on the overhead of IPSec encrypting/decrypting HSRP
hellos every 3 seconds.  Perhaps adjusting the HSRP timers would alleviate
this.

But times they are a changing.  The lines between LAN and WAN are blurring.
It seems Brian's solution for an access-list will be a stop gap measure for
now.

Kevin Wigle

----- Original Message -----
From: Priscilla Oppenheimer 
To: 
Sent: Tuesday, May 08, 2001 1:38 PM
Subject: Re: Cisco HSRP Denial of Service Vulnerability [7:3534]


> The HSRP "exploits" aren't anything new. If you have physical access to
the
> target LAN, the ability to sniff packets, and the ability to send packets,
> of course you can wreak havoc. Not only could you send bad HSRP packets
but
> you could respond to ARPs, send bad routing protocol packets, etc. etc.
> etc. The only real solutions are physical security and hiring people you
> trust!?
>
> Also, instead of using HSRP you could use the Virtual Router Redundancy
> Protocol (VRRP) defined in RFC 2338. VRRP is the standards-track
> replacement for HSRP.
> The Security Considerations section explains authentication options,
> including using IPSec.
>
> Priscilla
>
> At 11:20 PM 5/7/01, Andy Low wrote:
> >Hi TAC,
> >
> >Anyone know of any solutions to the HSRP exploits?
> >
> >http://www.securityfocus.com/bid/2684
> >
> >-andy-
> >FAQ, list archives, and subscription info:
> >http://www.groupstudy.com/list/cisco.html
> >Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>
>
> ________________________
>
> Priscilla Oppenheimer
> http://www.priscilla.com
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3657&t=3534
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Cisco HSRP Denial of Service Vulnerability [7:3534]

Reply via email to
