Penetration Testing mailing list archives

Re: 3rd party vuln assesment firms

From: Roland Dobbins <rdobbins () cisco com>
Date: Tue, 27 Dec 2005 22:05:04 -0800

From an operational security perspective, I'd strongly suggestreconsidering a blanket disablement of CDP.

You're absolutely correct, one should disable CDP at the peeringedge, customer edge, IDC edge, and access edge - any untrusted edge,which really means *any* edge. But up through distribution/aggregation and core, one can actually end up having a negativeimpact on the security of one's network by disabling CDP in those non-edge portions of the topology; when one's in the middle of a bigincident and jumping hop-by-hop and needs to be able to readily seewhat one's neighbor devices are, it's invaluable and saves lots oftime when working to resolve the issue at hand.

If a network operator finds himself in a situation in which he'sdisabled CDP on all his edges, he's left it enabled deeper in thetoplogy and an attacker is *still* in a position to be able to see itanyways (i.e., can log into the distribution/aggregation/core networkinfrastructure and/or sniff traffic from those links), he in allprobability has bigger problems than worrying about CDP, and losingthe visibility it affords in non-edge portions of the network doesn'tcontribute the the overall security posture of the networkinfrastructure; quite the opposite.



On Dec 27, 2005, at 1:26 PM, raven () oneeyedcrow net wrote:

 recommending that you disable CDP
when it's not in diagnostic use


----------------------------------------------------------------------
Roland Dobbins <rdobbins () cisco com> // 408.527.6376 voice

     Everything has been said.  But nobody listens.

                   -- Roger Shattuck


------------------------------------------------------------------------------

Audit your website security with Acunetix Web Vulnerability Scanner:Hackers are concentrating their efforts on attacking applications on yourwebsite. Up to 75% of cyber attacks are launched on shopping carts, forms,login pages, dynamic content etc. Firewalls, SSL and locked-down servers arefutile against web application hacking. Check your website for vulnerabilitiesto SQL injection, Cross site scripting and other web attacks before hackers do!Download Trial at:


http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------

Current thread:

3rd party vuln assesment firms rklemaster (Dec 23)
- Re: 3rd party vuln assesment firms Erin Carroll (Dec 23)
  - Re: 3rd party vuln assesment firms Ivan Arce (Dec 23)
    - Re: 3rd party vuln assesment firms neal wise (Dec 24)
  - Re: 3rd party vuln assesment firms raven (Dec 27)
    - Re: 3rd party vuln assesment firms Roland Dobbins (Dec 27)
    - RE: 3rd party vuln assesment firms Chris Serafin (Dec 28)
- Re: 3rd party vuln assesment firms Byron Sonne (Dec 23)
- <Possible follow-ups>
- RE: 3rd party vuln assesment firms Wray, Donald W (Dec 26)
- Re: 3rd party vuln assesment firms Michael Weber (Dec 27)
  - Re: 3rd party vuln assesment firms InfoSecBOFH (Dec 27)
    - RE: 3rd party vuln assesment firms Erin Carroll (Dec 27)
    - RE: 3rd party vuln assesment firms Nathan (Dec 28)
- Re: 3rd party vuln assesment firms rklemaster (Dec 27)
  - RE: 3rd party vuln assesment firms Erin Carroll (Dec 27)
- FW: 3rd party vuln assesment firms Adrian Chiang (Dec 28)

(Thread continues...)