Priscilla Oppenheimer wrote: > > Priscilla Oppenheimer wrote: > > > > On Catalyst switches, you can use the "set port host" macro. > It > > turns a bunch of stuff off. > > > > That won't help with HSRP, though. HSRP is definitely > hackable. > > If you can see the packets, you can see the unencrypted > > authentication string, and then you can claim to be the active > > router yourself and all traffic will go to you instead of > where > > it should go. I've done it! :-) > > > > You should check to see if Cisco ever fixed this, though. > Maybe > > they use a stronger authenticaton method now. I'll see if I > can > > find out..... > > They don't seem to have fixed this! Unbelievable. It's a gaping > hole, (although to exploit it you have to have access to the > LAN.) > > P. > > > > > _______________________________ > > > > Priscilla Oppenheimer > > www.troubleshootingnetworks.com > > www.priscilla.com > > > > > >
Thanks Priscilla. I found it interesting that the security consultants made note of these "findings" and made a strong recommendation that we fix them. No suggestions on how to do so were offered. I imagine there is a L2 ACL solution or something along those lines. I was hoping for something clean, but I guess it's time to earn our paycheck. Regards, Scott Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61814&t=61796 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
