Priscilla Oppenheimer wrote: > > On Catalyst switches, you can use the "set port host" macro. It > turns a bunch of stuff off. > > That won't help with HSRP, though. HSRP is definitely hackable. > If you can see the packets, you can see the unencrypted > authentication string, and then you can claim to be the active > router yourself and all traffic will go to you instead of where > it should go. I've done it! :-) > > You should check to see if Cisco ever fixed this, though. Maybe > they use a stronger authenticaton method now. I'll see if I can > find out.....
They don't seem to have fixed this! Unbelievable. It's a gaping hole, (although to exploit it you have to have access to the LAN.) P. > > _______________________________ > > Priscilla Oppenheimer > www.troubleshootingnetworks.com > www.priscilla.com > > > > s vermill wrote: > > > > Larry Letterman wrote: > > > > > > disable STP on the port... > > > > > > -- > > > > > > Larry Letterman > > > Network Engineer > > > Cisco Systems > > > > > Thanks Larry. I've never claimed to be a security expert. I > > generally get the network going and let the local policy folk > > implement what they see fit. I guess turning off STP is a > > start, but I thought that I once ran across a simple command > > that made an access port truly an access port. As part of a > > turnover process, a security audit was conducted on a network > > we�ve recently built. One of the red flags thrown at us was > > that STP, HSRP, and VTP information could be passively > > collected. All true. So are L2 ACLs the only answer? I > > thought Cisco addressed this in some way, but again, I > > sometimes remember things that never happened. > > Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61811&t=61796 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
