- A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
RE: NSA Guidlines and cdp [7:106419] posted 02/02/2006
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]

Being the NSA, the most paranoid (rightfully so) department in the USA,
their guidelines are strictly from a threat mitigation perspective.  In
other words, they put security above all else.  While this paradigm may be
fine in some cases, such as perimeter or other untrusted/less trusted areas,
it is not always a feasible methodolgy within the Enterprise walls. 

In my network, we definitely do take security seriously (healthcare, HIPPA,
etc.) but not to the degree where it prevents us from being efficient and
thorough.  Somewhere in your threat matrix you have to create the line where
high security becomes too cumbersome.  I think CDP within the LAN fits into
this category.  True, you wouldn't want CDP flying around the Internet
segements but within your own walls I believe it is more useful than risky
to enable.  Personally, I use CDP every day in support of my network.  Issue
resolution times would increase considerably without it.


-----Original Message-----
From: nobody@xxxxxxxxxxxxxx [mailto:nobody@xxxxxxxxxxxxxx] On Behalf Of Russ
Sent: Thursday, February 02, 2006 10:26 AM
To: cisco@xxxxxxxxxxxxxx
Subject: NSA Guidlines and cdp [7:106419]

We're doing a sizeable router/switch audit, and I was going through the
NSA's recommendations (available here:

They recommend turning off cdp because it is an unneccasary service that
could possibly be exploited.  I strongly disagree.  I believe cdp is one of
the best troubleshooting tools available.  They also state that the messages
are sent in plain text, and it would give a potential attacker access to
sensitive information such as versions and platforms.

I'm going to have to explain to my manager why I'm disregarding the NSA's
recommendations.  In a few places, we're running Cisco VoIP, so that's easy
justification in those locations.  But otherwise I'm basing my reasoning on
the facts that there currently aren't any cdp related vulnerabilies, nor
could I found any in the past, and as for the clear text stuff, it's already
my job to ensure that the IOS on the devices isn't vulnerable, so even if
they did find out what version of IOS we are running, there shouldn't be any
vulnerabilities any way...

What are your guys' thoughts on this??  Anything I should add when talking
to my manager??

Russ, CCNP

Message Posted at:
FAQ, list archives, and subscription info: