Priscilla Oppenheimer wrote: > > Oh, good point regarding fixing the HSRP "hole." An access list > solves the problem. > > For your other issues, though, you don't need an access list > probably, just "set port host" if your switch supports it (or > something similar on other switches).
These are 6509s. 'set port host' sounds like maybe what I was trying to remember. I plan to stick an analyzer on a port for a while, start a new capture file, and then issue the above. I'll post what I observe. Unfortunately, it won't be until at least next week before I get back to that customer site. Thanks again. > > The Center for Internet Security has some good info for Cisco > routers, by the way, but not much for switches. See here: > > http://www.cisecurity.org/ > > P. > > s vermill wrote: > > > > Priscilla Oppenheimer wrote: > > > > > > Priscilla Oppenheimer wrote: > > > > > > > > On Catalyst switches, you can use the "set port host" > macro. > > > It > > > > turns a bunch of stuff off. > > > > > > > > That won't help with HSRP, though. HSRP is definitely > > > hackable. > > > > If you can see the packets, you can see the unencrypted > > > > authentication string, and then you can claim to be the > > active > > > > router yourself and all traffic will go to you instead of > > > where > > > > it should go. I've done it! :-) > > > > > > > > You should check to see if Cisco ever fixed this, though. > > > Maybe > > > > they use a stronger authenticaton method now. I'll see if > I > > > can > > > > find out..... > > > > > > They don't seem to have fixed this! Unbelievable. It's a > > gaping > > > hole, (although to exploit it you have to have access to the > > > LAN.) > > > > > > P. > > > > > > > > > > > _______________________________ > > > > > > > > Priscilla Oppenheimer > > > > www.troubleshootingnetworks.com > > > > www.priscilla.com > > > > > > > > > > > > > > > > Thanks Priscilla. I found it interesting that the security > > consultants made note of these "findings" and made a strong > > recommendation that we fix them. No suggestions on how to do > > so were offered. I imagine there is a L2 ACL solution or > > something along those lines. I was hoping for something > clean, > > but I guess it's time to earn our paycheck. > > > > Regards, > > > > Scott > > Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61821&t=61796 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
