Chuck, There is a brief article which address those L2 vunerabilities you mention in the most recent publication of "Packet Magazine"
Nigel ----- Original Message ----- From: "The Long and Winding Road" To: Sent: Thursday, March 13, 2003 2:50 AM Subject: Re: OT - CDP: Is it treated as a 'vulnerability' in yo [7:65279] > ""Priscilla Oppenheimer"" wrote in message > news:[EMAIL PROTECTED] > > chris kane wrote: > > > > > > It recently came to my attention that my company may plan to > > > disable all CDP > > > in our network. The current vibe is that they see it as a > > > security risk. My > > > intent is to research this and provide a paper arguing for the > > > use of CDP. > > > The purpose for my post is to see if my opinions of the > > > benefits of CDP are > > > realistic (sanity check) and to see how others view CDP, > > > weighing it's > > > usefulness vs. any possible risk. > > > > > > I have already begun researching any security releases on CCO > > > in regards to > > > CDP. Initial scan shows a 'vulnerability' notice that Cisco > > > most recently > > > updated on Feb 12, 2003. This information can be found at this > > > link: > > > > > > http://www.cisco.com/en/US/partner/tech/tk648/tk362/technologies_tech_note09 > > > 186a0080093ef0.shtml > > > > > > Looking at CDP from a troubleshooting tool perspective, I am > > > all for it. > > > I've personally been saved unknown hours tracing down a problem > > > because CDP > > > allowed me to bounce around the network quickly. Our network is > > > not small. > > > And as most people would agree, documentation is never what we > > > all would > > > like it to be. Therefore, I find that CDP's ability to display > > > the network > > > below Layer 3 is appreciated. > > > > So will a hacker appreciate CDP's ability to display information about the > > internetwork. > > > > I think that's the reasoning behind the security experts saying to turn it > > off. That is indeed the current vibe. > > > > I took a Cisco security class at the Usenix Security Symposium in August > > 2002. The instructor said to turn it off. > > > > Have you looked at the documents at the Center for Internet Security? They > > have benchmarks for Cisco security. They have 2 levels. Even with the less > > severe level, they say to turn off CDP. > > > > The Center for Internet Security tries to develop consensus on security > > measures. Their partners include The SANS Institute, the DoD Computer > > Emergency Response Team, NASA, National Institute of Standards and > > Technology, etc. > > > > Their Web site is here: > > > > http://www.cisecurity.org/ > > > > On the other hand, I think you could certainly make a good case for not > > disabling CDP. Being able to troubleshoot efficiently is just as important > > as security when considering network availability. A network that's broken > > and due to typical network problems is experiencing a denial of service > just > > as bad as if a hacker had broken in. Good troubleshooting tools mean a > more > > available network, there's no question. > > > > I hope others answer too. I know that all the security people say to turn > it > > off and most people who actually work in the trenches say, "Hunh?" > > > Can't find the link off hand, but recently I read something on the Cisco web > site about L2 vulnerabilities - mac flooding or something. > > In any case, what it comes down to is that the possibility exists that > someone of evil intent could sniff a network and discover something useful > that could be used to cause problems later. > > Why have OSPF authentication on internal links? Why have chap authentication > on dial up lins? After all, who's out there tapping your telephones? > > What do you want - convenience or security? Cuz maybe you can't have both. > > Kinda like at the airport. Maybe you feel safer because they're searching > people like me, who really do look like criminals, but do you feel safer if > they're searching 80 year old ladies and 5 year old children? Could either > one of those types pose a security risk? Interesting tradeoff, isn't it. > particularly given certain incidents in a particular country of late. > > > > > > > Priscilla > > > > > > > > > > Also from a tool perspective, I know CiscoWorks has tools to > > > offer that > > > utilize CDP. And I've seen software from other companies that > > > does as well. > > > Think Layer 2 traceroute capability. > > > > > > Looking at CDP from a multi-vendor platform perspective, I > > > realize that it's > > > often beneficial to turn off CDP on interfaces that connect to > > > non-Cisco > > > devices. No point in bothering a non-Cisco device with traffic > > > that it can't > > > process. But note, this is not turning off CDP globally per > > > router/switch, > > > but rather, disabling on an as-needed basis per interface. > > > > > > I'd like to hear other views and I'd appreciate feedback and > > > opinions about > > > this. > > > > > > Thanks, > > > -chris Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=65376&t=65376 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]