- A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
Re: OT - CDP: Is it treated as a 'vulnerability' in your world? [7:65260] posted 03/13/2003
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]

it the boundaries of the network are well managed, I don't see whats the
problem with CDP. if they are sniffing the packets, they're already on your
physical network and thus will see the ip structure anyway.

the really isn't anything else that is useful that I can think of to a
hacker. might as well also turn off snmp while you're at it.


""chris kane""  wrote in message
> It recently came to my attention that my company may plan to disable all
> in our network. The current vibe is that they see it as a security risk.
> intent is to research this and provide a paper arguing for the use of CDP.
> The purpose for my post is to see if my opinions of the benefits of CDP
> realistic (sanity check) and to see how others view CDP, weighing it's
> usefulness vs. any possible risk.
> I have already begun researching any security releases on CCO in regards
> CDP. Initial scan shows a 'vulnerability' notice that Cisco most recently
> updated on Feb 12, 2003. This information can be found at this link:
> 186a0080093ef0.shtml
> Looking at CDP from a troubleshooting tool perspective, I am all for it.
> I've personally been saved unknown hours tracing down a problem because
> allowed me to bounce around the network quickly. Our network is not small.
> And as most people would agree, documentation is never what we all would
> like it to be. Therefore, I find that CDP's ability to display the network
> below Layer 3 is appreciated.
> Also from a tool perspective, I know CiscoWorks has tools to offer that
> utilize CDP. And I've seen software from other companies that does as
> Think Layer 2 traceroute capability.
> Looking at CDP from a multi-vendor platform perspective, I realize that
> often beneficial to turn off CDP on interfaces that connect to non-Cisco
> devices. No point in bothering a non-Cisco device with traffic that it
> process. But note, this is not turning off CDP globally per router/switch,
> but rather, disabling on an as-needed basis per interface.
> I'd like to hear other views and I'd appreciate feedback and opinions
> this.
> Thanks,
> -chris

Message Posted at:
FAQ, list archives, and subscription info:
Report misconduct and Nondisclosure violations to abuse@xxxxxxxxxxxxxx