RE: 3rd party vuln assesment firms

["Chris Serafin" <chris () chrisserafin com>]

Disabling CDP is a WONDERFUL idea, but unfortunately the use of Cisco IP
phones needs this service enabled 

Chris Serafin
IT Security / Voice Engineer
chris () chrisserafin com

-----Original Message-----
From: Roland Dobbins [mailto:rdobbins () cisco com] 
Sent: Wednesday, December 28, 2005 12:05 AM
To: pen-test () securityfocus com
Subject: Re: 3rd party vuln assesment firms


 From an operational security perspective, I'd strongly suggest  
reconsidering a blanket disablement of CDP.

You're absolutely correct, one should disable CDP at the peering  
edge, customer edge, IDC edge, and access edge - any untrusted edge,  
which really means *any* edge.  But up through distribution/ 
aggregation and core, one can actually end up having a negative  
impact on the security of one's network by disabling CDP in those non- 
edge portions of the topology; when one's in the middle of a big  
incident and jumping hop-by-hop and needs to be able to readily see  
what one's neighbor devices are, it's invaluable and saves lots of  
time when working to resolve the issue at hand.

If a network operator finds himself in a situation in which he's  
disabled CDP on all his edges, he's left it enabled deeper in the  
toplogy and an attacker is *still* in a position to be able to see it  
anyways (i.e., can log into the distribution/aggregation/core network  
infrastructure and/or sniff traffic from those links), he in all  
probability has bigger problems than worrying about CDP, and losing  
the visibility it affords in non-edge portions of the network doesn't  
contribute the the overall security posture of the network  
infrastructure; quite the opposite.


On Dec 27, 2005, at 1:26 PM, raven () oneeyedcrow net wrote:

>  recommending that you disable CDP
> when it's not in diagnostic use

----------------------------------------------------------------------
Roland Dobbins <rdobbins () cisco com> // 408.527.6376 voice

      Everything has been said.  But nobody listens.

                    -- Roger Shattuck


----------------------------------------------------------------------------
--
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are

futile against web application hacking. Check your website for
vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers
do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
----------------------------------------------------------------------------
---




------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------