Disabling CDP is a WONDERFUL idea, but unfortunately the use of Cisco IP
phones needs this service enabled
Chris Serafin
IT Security / Voice Engineer
chris@chrisserafin.com
-----Original Message-----
From: Roland Dobbins [mailto:rdobbins@cisco.com]
Sent: Wednesday, December 28, 2005 12:05 AM
To: pen-test@securityfocus.com
Subject: Re: 3rd party vuln assesment firms
From an operational security perspective, I'd strongly suggest
reconsidering a blanket disablement of CDP.
You're absolutely correct, one should disable CDP at the peering
edge, customer edge, IDC edge, and access edge - any untrusted edge,
which really means *any* edge. But up through distribution/
aggregation and core, one can actually end up having a negative
impact on the security of one's network by disabling CDP in those non-
edge portions of the topology; when one's in the middle of a big
incident and jumping hop-by-hop and needs to be able to readily see
what one's neighbor devices are, it's invaluable and saves lots of
time when working to resolve the issue at hand.
If a network operator finds himself in a situation in which he's
disabled CDP on all his edges, he's left it enabled deeper in the
toplogy and an attacker is *still* in a position to be able to see it
anyways (i.e., can log into the distribution/aggregation/core network
infrastructure and/or sniff traffic from those links), he in all
probability has bigger problems than worrying about CDP, and losing
the visibility it affords in non-edge portions of the network doesn't
contribute the the overall security posture of the network
infrastructure; quite the opposite.
On Dec 27, 2005, at 1:26 PM, raven@oneeyedcrow.net wrote:
recommending that you disable CDP
when it's not in diagnostic use
----------------------------------------------------------------------
Roland Dobbins <rdobbins@cisco.com> // 408.527.6376 voice
Everything has been said. But nobody listens.
-- Roger Shattuck
----------------------------------------------------------------------------
--
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for
vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers
do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
----------------------------------------------------------------------------
---
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
