Re: 3rd party vuln assesment firms

From: Roland Dobbins (rdobbins@cisco.com)
Date: Wed Dec 28 2005 - 01:05:04 EST

• Next message: Keith: "Microsoft products at wholesale!"
• Previous message: James: "Re: R: Layer 2 Trace"
• In reply to: raven@oneeyedcrow.net: "Re: 3rd party vuln assesment firms"
• Next in thread: Chris Serafin: "RE: 3rd party vuln assesment firms"
• Reply: Chris Serafin: "RE: 3rd party vuln assesment firms"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

 From an operational security perspective, I'd strongly suggest
reconsidering a blanket disablement of CDP.

You're absolutely correct, one should disable CDP at the peering
edge, customer edge, IDC edge, and access edge - any untrusted edge,
which really means *any* edge. But up through distribution/
aggregation and core, one can actually end up having a negative
impact on the security of one's network by disabling CDP in those non-
edge portions of the topology; when one's in the middle of a big
incident and jumping hop-by-hop and needs to be able to readily see
what one's neighbor devices are, it's invaluable and saves lots of
time when working to resolve the issue at hand.

If a network operator finds himself in a situation in which he's
disabled CDP on all his edges, he's left it enabled deeper in the
toplogy and an attacker is *still* in a position to be able to see it
anyways (i.e., can log into the distribution/aggregation/core network
infrastructure and/or sniff traffic from those links), he in all
probability has bigger problems than worrying about CDP, and losing
the visibility it affords in non-edge portions of the network doesn't
contribute the the overall security posture of the network
infrastructure; quite the opposite.

On Dec 27, 2005, at 1:26 PM, raven@oneeyedcrow.net wrote:

> recommending that you disable CDP
> when it's not in diagnostic use

----------------------------------------------------------------------
Roland Dobbins <rdobbins@cisco.com> // 408.527.6376 voice

      Everything has been said. But nobody listens.

                    -- Roger Shattuck

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------

• Next message: Keith: "Microsoft products at wholesale!"
• Previous message: James: "Re: R: Layer 2 Trace"
• In reply to: raven@oneeyedcrow.net: "Re: 3rd party vuln assesment firms"
• Next in thread: Chris Serafin: "RE: 3rd party vuln assesment firms"
• Reply: Chris Serafin: "RE: 3rd party vuln assesment firms"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:18 EDT