Oh, good point regarding fixing the HSRP "hole." An access list solves the problem.
For your other issues, though, you don't need an access list probably, just "set port host" if your switch supports it (or something similar on other switches). The Center for Internet Security has some good info for Cisco routers, by the way, but not much for switches. See here: http://www.cisecurity.org/ P. s vermill wrote: > > Priscilla Oppenheimer wrote: > > > > Priscilla Oppenheimer wrote: > > > > > > On Catalyst switches, you can use the "set port host" macro. > > It > > > turns a bunch of stuff off. > > > > > > That won't help with HSRP, though. HSRP is definitely > > hackable. > > > If you can see the packets, you can see the unencrypted > > > authentication string, and then you can claim to be the > active > > > router yourself and all traffic will go to you instead of > > where > > > it should go. I've done it! :-) > > > > > > You should check to see if Cisco ever fixed this, though. > > Maybe > > > they use a stronger authenticaton method now. I'll see if I > > can > > > find out..... > > > > They don't seem to have fixed this! Unbelievable. It's a > gaping > > hole, (although to exploit it you have to have access to the > > LAN.) > > > > P. > > > > > > > > _______________________________ > > > > > > Priscilla Oppenheimer > > > www.troubleshootingnetworks.com > > > www.priscilla.com > > > > > > > > > > > Thanks Priscilla. I found it interesting that the security > consultants made note of these "findings" and made a strong > recommendation that we fix them. No suggestions on how to do > so were offered. I imagine there is a L2 ACL solution or > something along those lines. I was hoping for something clean, > but I guess it's time to earn our paycheck. > > Regards, > > Scott Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61818&t=61796 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
