Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: 3rd party vuln assesment firms

from [Roland Dobbins] Network Security [Permanent Link]
Subject: Re: 3rd party vuln assesment firms
Date: Tue, 27 Dec 2005 22:05:04 -0800

From an operational security perspective, I'd strongly suggest reconsidering a blanket disablement of CDP.

You're absolutely correct, one should disable CDP at the peering edge, customer edge, IDC edge, and access edge - any untrusted edge, which really means *any* edge. But up through distribution/ aggregation and core, one can actually end up having a negative impact on the security of one's network by disabling CDP in those non- edge portions of the topology; when one's in the middle of a big incident and jumping hop-by-hop and needs to be able to readily see what one's neighbor devices are, it's invaluable and saves lots of time when working to resolve the issue at hand.

If a network operator finds himself in a situation in which he's disabled CDP on all his edges, he's left it enabled deeper in the toplogy and an attacker is *still* in a position to be able to see it anyways (i.e., can log into the distribution/aggregation/core network infrastructure and/or sniff traffic from those links), he in all probability has bigger problems than worrying about CDP, and losing the visibility it affords in non-edge portions of the network doesn't contribute the the overall security posture of the network infrastructure; quite the opposite.


On Dec 27, 2005, at 1:26 PM, raven@oneeyedcrow.net wrote:

 recommending that you disable CDP
when it's not in diagnostic use


----------------------------------------------------------------------
Roland Dobbins <rdobbins@cisco.com> // 408.527.6376 voice

     Everything has been said.  But nobody listens.

                   -- Roger Shattuck


------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: R: Layer 2 Trace, James
Next by Date:  RE: 3rd party vuln assesment firms, Erin Carroll
Previous by Thread:  Re: 3rd party vuln assesment firms, raven
Next by Thread:  RE: 3rd party vuln assesment firms, Chris Serafin
Indexes:  [Date] [Thread] [Top] [All Lists]