Newell Ryan D SrA 18 CS/SCBT wrote: > > Reading the CDP vulnerability link, I cannot determine how a > hacker can > trigger the attack. Reading the email trail > it seems that you are worried about the info displayed in the > frame.
That's not why most security "experts" say to disable CDP, from what I understand. Their concern is a hacker who has gotten into a perimeter router can then gather info about the rest of the internetwork to make it easier to do his job. Maybe at this point he's just doing a little recognizance. He could get in, grab some info, and get back out for now. Then he could go away for a while, plotting evil. When he comes back he will be more potent because of the data he gathered. It's a weak argument for sure, but I think that's what they say. > If that > is what your company > is trying to avoid, here is an idea. Why not disable it on a > per port basis. > That is a lot of work > but every one gets what they want. On the links between network > devices > enable it and on the links to host > disable it. That's a good idea. I think the "experts" say this too. > That why a hacker jus cant 'plug in' and get the > info. I know > cisco has a the 'set port host' macro commands > for CATOS that disables a lot of stuff. I wish that it > encompassed disabling > cdp. It doesn't disable CDP? It certainly should! :-) Priscilla > > D > > -----Original Message----- > From: Pistone, Mike [mailto:[EMAIL PROTECTED] > Sent: Friday, March 14, 2003 3:54 AM > To: [EMAIL PROTECTED] > Subject: RE: OT - CDP: Is it treated as a 'vulnerability' in yo > [7:65347] > > > The NSA has an un-classified Securing Cisco Networks document > that I found > last year. I think it is linked off of www.nsa.gov > somewhere. It is an > excellent document dealing with all aspects of securing your > network, > including CDP I believe. > > From what I remember, it was developed for their use, but > decided to release > it to increase the security of the countries infrastructure. > > I just looked up the link -- it's at > http://www.nsa.gov/snac/index.html > > > Mike > > > _______________________________ > Mike Pistone > NASA - Russian Services Group > Marshall Space Flight Center > Huntsville, AL 35806 > Ph: (256) 544-2915 > Em: [EMAIL PROTECTED] > > > > -----Original Message----- > From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED] > Sent: Thursday, March 13, 2003 12:17 AM > To: [EMAIL PROTECTED] > Subject: RE: OT - CDP: Is it treated as a 'vulnerability' in yo > [7:65251] > > > chris kane wrote: > > > > It recently came to my attention that my company may plan to > disable > > all CDP in our network. The current vibe is that they see it > as a > > security risk. My > > intent is to research this and provide a paper arguing for the > > use of CDP. > > The purpose for my post is to see if my opinions of the > > benefits of CDP are > > realistic (sanity check) and to see how others view CDP, > > weighing it's > > usefulness vs. any possible risk. > > > > I have already begun researching any security releases on CCO > in > > regards to CDP. Initial scan shows a 'vulnerability' notice > that Cisco > > most recently > > updated on Feb 12, 2003. This information can be found at this > > link: > > > http://www.cisco.com/en/US/partner/tech/tk648/tk362/technologies_tech_note09 > > 186a0080093ef0.shtml > > > > Looking at CDP from a troubleshooting tool perspective, I am > all for > > it. I've personally been saved unknown hours tracing down a > problem > > because CDP > > allowed me to bounce around the network quickly. Our network > is > > not small. > > And as most people would agree, documentation is never what we > > all would > > like it to be. Therefore, I find that CDP's ability to display > > the network > > below Layer 3 is appreciated. > > So will a hacker appreciate CDP's ability to display > information about the > internetwork. > > I think that's the reasoning behind the security experts saying > to turn it > off. That is indeed the current vibe. > > I took a Cisco security class at the Usenix Security Symposium > in August > 2002. The instructor said to turn it off. > > Have you looked at the documents at the Center for Internet > Security? They > have benchmarks for Cisco security. They have 2 levels. Even > with the less > severe level, they say to turn off CDP. > > The Center for Internet Security tries to develop consensus on > security > measures. Their partners include The SANS Institute, the DoD > Computer > Emergency Response Team, NASA, National Institute of Standards > and > Technology, etc. > > Their Web site is here: > > http://www.cisecurity.org/ > > On the other hand, I think you could certainly make a good case > for not > disabling CDP. Being able to troubleshoot efficiently is just > as important > as security when considering network availability. A network > that's broken > and due to typical network problems is experiencing a denial of > service just > as bad as if a hacker had broken in. Good troubleshooting tools > mean a more > available network, there's no question. > > I hope others answer too. I know that all the security people > say to turn it > off and most people who actually work in the trenches say, > "Hunh?" > > Priscilla > > > > > > Also from a tool perspective, I know CiscoWorks has tools to > offer > > that utilize CDP. And I've seen software from other companies > that > > does as well. > > Think Layer 2 traceroute capability. > > > > Looking at CDP from a multi-vendor platform perspective, I > realize > > that it's often beneficial to turn off CDP on interfaces that > connect > > to non-Cisco > > devices. No point in bothering a non-Cisco device with traffic > > that it can't > > process. But note, this is not turning off CDP globally per > > router/switch, > > but rather, disabling on an as-needed basis per interface. > > > > I'd like to hear other views and I'd appreciate feedback and > opinions > > about this. > > > > Thanks, > > -chris > > Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=65387&t=65379 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
