Reading the CDP vulnerability link, I cannot determine how a hacker can trigger the attack. Reading the email trail it seems that you are worried about the info displayed in the frame. If that is what your company is trying to avoid, here is an idea. Why not disable it on a per port basis. That is a lot of work but every one gets what they want. On the links between network devices enable it and on the links to host disable it. That why a hacker jus cant 'plug in' and get the info. I know cisco has a the 'set port host' macro commands for CATOS that disables a lot of stuff. I wish that it encompassed disabling cdp.
D -----Original Message----- From: Pistone, Mike [mailto:[EMAIL PROTECTED] Sent: Friday, March 14, 2003 3:54 AM To: [EMAIL PROTECTED] Subject: RE: OT - CDP: Is it treated as a 'vulnerability' in yo [7:65347] The NSA has an un-classified Securing Cisco Networks document that I found last year. I think it is linked off of www.nsa.gov somewhere. It is an excellent document dealing with all aspects of securing your network, including CDP I believe. >From what I remember, it was developed for their use, but decided to release it to increase the security of the countries infrastructure. I just looked up the link -- it's at http://www.nsa.gov/snac/index.html Mike _______________________________ Mike Pistone NASA - Russian Services Group Marshall Space Flight Center Huntsville, AL 35806 Ph: (256) 544-2915 Em: [EMAIL PROTECTED] -----Original Message----- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED] Sent: Thursday, March 13, 2003 12:17 AM To: [EMAIL PROTECTED] Subject: RE: OT - CDP: Is it treated as a 'vulnerability' in yo [7:65251] chris kane wrote: > > It recently came to my attention that my company may plan to disable > all CDP in our network. The current vibe is that they see it as a > security risk. My > intent is to research this and provide a paper arguing for the > use of CDP. > The purpose for my post is to see if my opinions of the > benefits of CDP are > realistic (sanity check) and to see how others view CDP, > weighing it's > usefulness vs. any possible risk. > > I have already begun researching any security releases on CCO in > regards to CDP. Initial scan shows a 'vulnerability' notice that Cisco > most recently > updated on Feb 12, 2003. This information can be found at this > link: > http://www.cisco.com/en/US/partner/tech/tk648/tk362/technologies_tech_note09 > 186a0080093ef0.shtml > > Looking at CDP from a troubleshooting tool perspective, I am all for > it. I've personally been saved unknown hours tracing down a problem > because CDP > allowed me to bounce around the network quickly. Our network is > not small. > And as most people would agree, documentation is never what we > all would > like it to be. Therefore, I find that CDP's ability to display > the network > below Layer 3 is appreciated. So will a hacker appreciate CDP's ability to display information about the internetwork. I think that's the reasoning behind the security experts saying to turn it off. That is indeed the current vibe. I took a Cisco security class at the Usenix Security Symposium in August 2002. The instructor said to turn it off. Have you looked at the documents at the Center for Internet Security? They have benchmarks for Cisco security. They have 2 levels. Even with the less severe level, they say to turn off CDP. The Center for Internet Security tries to develop consensus on security measures. Their partners include The SANS Institute, the DoD Computer Emergency Response Team, NASA, National Institute of Standards and Technology, etc. Their Web site is here: http://www.cisecurity.org/ On the other hand, I think you could certainly make a good case for not disabling CDP. Being able to troubleshoot efficiently is just as important as security when considering network availability. A network that's broken and due to typical network problems is experiencing a denial of service just as bad as if a hacker had broken in. Good troubleshooting tools mean a more available network, there's no question. I hope others answer too. I know that all the security people say to turn it off and most people who actually work in the trenches say, "Hunh?" Priscilla > > Also from a tool perspective, I know CiscoWorks has tools to offer > that utilize CDP. And I've seen software from other companies that > does as well. > Think Layer 2 traceroute capability. > > Looking at CDP from a multi-vendor platform perspective, I realize > that it's often beneficial to turn off CDP on interfaces that connect > to non-Cisco > devices. No point in bothering a non-Cisco device with traffic > that it can't > process. But note, this is not turning off CDP globally per > router/switch, > but rather, disabling on an as-needed basis per interface. > > I'd like to hear other views and I'd appreciate feedback and opinions > about this. > > Thanks, > -chris Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=65379&t=65379 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]