Chuck,
There is a brief article which address those L2 vunerabilities
you mention in the most recent publication of "Packet Magazine"
Nigel
----- Original Message -----
From: "The Long and Winding Road"
To:
Sent: Thursday, March 13, 2003 2:50 AM
Subject: Re: OT - CDP: Is it treated as a 'vulnerability' in yo [7:65279]
> ""Priscilla Oppenheimer"" wrote in message
> news:[EMAIL PROTECTED]
> > chris kane wrote:
> > >
> > > It recently came to my attention that my company may plan to
> > > disable all CDP
> > > in our network. The current vibe is that they see it as a
> > > security risk. My
> > > intent is to research this and provide a paper arguing for the
> > > use of CDP.
> > > The purpose for my post is to see if my opinions of the
> > > benefits of CDP are
> > > realistic (sanity check) and to see how others view CDP,
> > > weighing it's
> > > usefulness vs. any possible risk.
> > >
> > > I have already begun researching any security releases on CCO
> > > in regards to
> > > CDP. Initial scan shows a 'vulnerability' notice that Cisco
> > > most recently
> > > updated on Feb 12, 2003. This information can be found at this
> > > link:
> > >
> >
>
http://www.cisco.com/en/US/partner/tech/tk648/tk362/technologies_tech_note09
> > > 186a0080093ef0.shtml
> > >
> > > Looking at CDP from a troubleshooting tool perspective, I am
> > > all for it.
> > > I've personally been saved unknown hours tracing down a problem
> > > because CDP
> > > allowed me to bounce around the network quickly. Our network is
> > > not small.
> > > And as most people would agree, documentation is never what we
> > > all would
> > > like it to be. Therefore, I find that CDP's ability to display
> > > the network
> > > below Layer 3 is appreciated.
> >
> > So will a hacker appreciate CDP's ability to display information about
the
> > internetwork.
> >
> > I think that's the reasoning behind the security experts saying to turn
it
> > off. That is indeed the current vibe.
> >
> > I took a Cisco security class at the Usenix Security Symposium in August
> > 2002. The instructor said to turn it off.
> >
> > Have you looked at the documents at the Center for Internet Security?
They
> > have benchmarks for Cisco security. They have 2 levels. Even with the
less
> > severe level, they say to turn off CDP.
> >
> > The Center for Internet Security tries to develop consensus on security
> > measures. Their partners include The SANS Institute, the DoD Computer
> > Emergency Response Team, NASA, National Institute of Standards and
> > Technology, etc.
> >
> > Their Web site is here:
> >
> > http://www.cisecurity.org/
> >
> > On the other hand, I think you could certainly make a good case for not
> > disabling CDP. Being able to troubleshoot efficiently is just as
important
> > as security when considering network availability. A network that's
broken
> > and due to typical network problems is experiencing a denial of service
> just
> > as bad as if a hacker had broken in. Good troubleshooting tools mean a
> more
> > available network, there's no question.
> >
> > I hope others answer too. I know that all the security people say to
turn
> it
> > off and most people who actually work in the trenches say, "Hunh?"
>
>
> Can't find the link off hand, but recently I read something on the Cisco
web
> site about L2 vulnerabilities - mac flooding or something.
>
> In any case, what it comes down to is that the possibility exists that
> someone of evil intent could sniff a network and discover something useful
> that could be used to cause problems later.
>
> Why have OSPF authentication on internal links? Why have chap
authentication
> on dial up lins? After all, who's out there tapping your telephones?
>
> What do you want - convenience or security? Cuz maybe you can't have both.
>
> Kinda like at the airport. Maybe you feel safer because they're searching
> people like me, who really do look like criminals, but do you feel safer
if
> they're searching 80 year old ladies and 5 year old children? Could either
> one of those types pose a security risk? Interesting tradeoff, isn't it.
> particularly given certain incidents in a particular country of late.
>
>
>
> >
> > Priscilla
> >
> >
> > >
> > > Also from a tool perspective, I know CiscoWorks has tools to
> > > offer that
> > > utilize CDP. And I've seen software from other companies that
> > > does as well.
> > > Think Layer 2 traceroute capability.
> > >
> > > Looking at CDP from a multi-vendor platform perspective, I
> > > realize that it's
> > > often beneficial to turn off CDP on interfaces that connect to
> > > non-Cisco
> > > devices. No point in bothering a non-Cisco device with traffic
> > > that it can't
> > > process. But note, this is not turning off CDP globally per
> > > router/switch,
> > > but rather, disabling on an as-needed basis per interface.
> > >
> > > I'd like to hear other views and I'd appreciate feedback and
> > > opinions about
> > > this.
> > >
> > > Thanks,
> > > -chris
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=65376&t=65376
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
