Penetration Testing mailing list archives
Re: 3rd party vuln assesment firms
From: Roland Dobbins <rdobbins () cisco com>
Date: Tue, 27 Dec 2005 22:05:04 -0800
From an operational security perspective, I'd strongly suggest reconsidering a blanket disablement of CDP.
You're absolutely correct, one should disable CDP at the peering edge, customer edge, IDC edge, and access edge - any untrusted edge, which really means *any* edge. But up through distribution/ aggregation and core, one can actually end up having a negative impact on the security of one's network by disabling CDP in those non- edge portions of the topology; when one's in the middle of a big incident and jumping hop-by-hop and needs to be able to readily see what one's neighbor devices are, it's invaluable and saves lots of time when working to resolve the issue at hand.
If a network operator finds himself in a situation in which he's disabled CDP on all his edges, he's left it enabled deeper in the toplogy and an attacker is *still* in a position to be able to see it anyways (i.e., can log into the distribution/aggregation/core network infrastructure and/or sniff traffic from those links), he in all probability has bigger problems than worrying about CDP, and losing the visibility it affords in non-edge portions of the network doesn't contribute the the overall security posture of the network infrastructure; quite the opposite.
On Dec 27, 2005, at 1:26 PM, raven () oneeyedcrow net wrote:
recommending that you disable CDP when it's not in diagnostic use
---------------------------------------------------------------------- Roland Dobbins <rdobbins () cisco com> // 408.527.6376 voice Everything has been said. But nobody listens. -- Roger Shattuck ------------------------------------------------------------------------------Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- 3rd party vuln assesment firms rklemaster (Dec 23)
- Re: 3rd party vuln assesment firms Erin Carroll (Dec 23)
- Re: 3rd party vuln assesment firms Ivan Arce (Dec 23)
- Re: 3rd party vuln assesment firms neal wise (Dec 24)
- Re: 3rd party vuln assesment firms raven (Dec 27)
- Re: 3rd party vuln assesment firms Roland Dobbins (Dec 27)
- RE: 3rd party vuln assesment firms Chris Serafin (Dec 28)
- Re: 3rd party vuln assesment firms Ivan Arce (Dec 23)
- Re: 3rd party vuln assesment firms Erin Carroll (Dec 23)
- Re: 3rd party vuln assesment firms Byron Sonne (Dec 23)
- <Possible follow-ups>
- RE: 3rd party vuln assesment firms Wray, Donald W (Dec 26)
- Re: 3rd party vuln assesment firms Michael Weber (Dec 27)
- Re: 3rd party vuln assesment firms InfoSecBOFH (Dec 27)
- RE: 3rd party vuln assesment firms Erin Carroll (Dec 27)
- RE: 3rd party vuln assesment firms Nathan (Dec 28)
- Re: 3rd party vuln assesment firms InfoSecBOFH (Dec 27)
- RE: 3rd party vuln assesment firms Erin Carroll (Dec 27)